RESOLVED FIXED197844
Correct the sandbox to allow loading libraries from /Library/Apple 
https://bugs.webkit.org/show_bug.cgi?id=197844
Summary Correct the sandbox to allow loading libraries from /Library/Apple
Brent Fulgham
Reported 2019-05-13 10:11:12 PDT
Some InjectedBundles need to load libraries from "/Library/Apple", which is not allowed by default. Revise the sandbox to support this additional location for frameworks.
Attachments
Patch (1.91 KB, patch)
2019-05-13 10:13 PDT, Brent Fulgham 		no flags
DetailsFormatted DiffDiff
View All Add attachment proposed patch, testcase, etc.
Brent Fulgham
Comment 1 2019-05-13 10:13:11 PDT
Created attachment 369744 [details] Patch
Brent Fulgham
Comment 2 2019-05-13 10:17:17 PDT
<rdar://problem/50727815>
Per Arne Vollan
Comment 3 2019-05-13 10:27:46 PDT
Comment on attachment 369744 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369744&action=review R=me. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:43 > (allow file-read* > (require-all (file-mode #o0004) > (require-any (subpath "/Library/Filesystems/NetFSPlugins") > + (subpath "/Library/Apple/System") Is this only needed for the injected bundle? If that is the case, maybe we could issue an extension? I don't think this is required now, and could be done in a followup patch. > Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:63 > +;;; Allow mapping of system frameworks + dylibs > +(allow file-map-executable > + (subpath "/Library/Apple/System/Library/Frameworks") > + (subpath "/Library/Apple/System/Library/PrivateFrameworks") > + (subpath "/System/Library/Frameworks") > + (subpath "/System/Library/PrivateFrameworks") > + (subpath "/usr/lib") Ditto.
Brent Fulgham
Comment 4 2019-05-13 10:44:47 PDT
Comment on attachment 369744 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=369744&action=review >> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:43 >> + (subpath "/Library/Apple/System") > > Is this only needed for the injected bundle? If that is the case, maybe we could issue an extension? I don't think this is required now, and could be done in a followup patch. After reviewing things further, I think we should just treat this as another canonical location where system frameworks might live. It's not specific to injected bundles. >> Source/WebKit/WebProcess/com.apple.WebProcess.sb.in:63 >> + (subpath "/usr/lib") > > Ditto. This section might not be needed (yet), because we don't prohibit file mapping. But having this here will allow us to flip on that protection in a future patch.
WebKit Commit Bot
Comment 5 2019-05-13 12:53:50 PDT
Comment on attachment 369744 [details] Patch Clearing flags on attachment: 369744 Committed r245246: <https://trac.webkit.org/changeset/245246>
WebKit Commit Bot
Comment 6 2019-05-13 12:53:51 PDT
All reviewed patches have been landed. Closing bug.
Note You need to log in before you can comment on or make changes to this bug.