Pass Qt Prefix path to the macOS V2 Seatbelt Sandbox

The render process requires access to the Qt resources directory (for ICU data files for example). Pass the Qt prefix path to the sandbox rules, to allow file read access. Change-Id: I2364ef4711d225aae2d14da78e33c609f4f8b5bd Fixes: QTBUG-73089 Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu> Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
author: Alexandru Croitor <alexandru.croitor@qt.io> 2019-01-17 17:46:08 +0100
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2019-01-23 09:24:38 +0000
commit: dc2a429c4dfccb045a0b2313bc3440852349bffa (patch)
tree: 027032e9341c6eb6800311eda13db7850caa83bc
parent: 16b9b8615d5950edf08658dbb9647c3ee12bedf7 (diff)
download: qtwebengine-chromium-dc2a429c4dfccb045a0b2313bc3440852349bffa.tar.gz
4 files changed, 24 insertions, 0 deletions
diff --git a/chromium/content/browser/sandbox_parameters_mac.mm b/chromium/content/browser/sandbox_parameters_mac.mm
index a9227b8e010..350fa77fa5e 100644
--- a/chromium/content/browser/sandbox_parameters_mac.mm
+++ b/chromium/content/browser/sandbox_parameters_mac.mm
@@ -46,6 +46,10 @@ std::string GetOSVersion() {
 
 }  // namespace
 
+#if defined(TOOLKIT_QT)
+std::string getQtPrefix();
+#endif
+
 void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) {
   const base::CommandLine* command_line =
       base::CommandLine::ForCurrentProcess();
@@ -87,6 +91,16 @@ void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) {
                              component_path_canonical));
 #endif
 
+#if defined(TOOLKIT_QT)
+  // Allow read access to files under the Qt Prefix.
+  const std::string qt_prefix_path_string = getQtPrefix();
+  const base::FilePath qt_prefix_path = base::FilePath(qt_prefix_path_string);
+  const std::string qt_prefix_path_canonical =
+      service_manager::SandboxMac::GetCanonicalPath(qt_prefix_path).value();
+  CHECK(client->SetParameter(service_manager::SandboxMac::kSandboxQtPrefixPath,
+                             qt_prefix_path_canonical));
+#endif
+
   CHECK(client->SetParameter(service_manager::SandboxMac::kSandboxOSVersion,
                              GetOSVersion()));
 
diff --git a/chromium/services/service_manager/sandbox/mac/common_v2.sb b/chromium/services/service_manager/sandbox/mac/common_v2.sb
index 9ce0a10abde..da5148758e1 100644
--- a/chromium/services/service_manager/sandbox/mac/common_v2.sb
+++ b/chromium/services/service_manager/sandbox/mac/common_v2.sb
@@ -14,6 +14,7 @@
 (define bundle-id "BUNDLE_ID")
 (define bundle-path "BUNDLE_PATH")
 (define component-path "COMPONENT_PATH")
+(define qt-prefix-path "QT_PREFIX_PATH")
 (define current-pid "CURRENT_PID")
 (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING")
 (define enable-logging "ENABLE_LOGGING")
@@ -71,6 +72,9 @@
 (if (param-defined? component-path)
   (allow file-read* (subpath (param component-path))))
 
+(if (param-defined? qt-prefix-path)
+  (allow file-read* (subpath (param qt-prefix-path))))
+
 (allow process-exec (path (param executable-path)))
 (allow file-read* (path (param executable-path)))
 
diff --git a/chromium/services/service_manager/sandbox/mac/sandbox_mac.h b/chromium/services/service_manager/sandbox/mac/sandbox_mac.h
index 31df9dd578e..5ab15b674a4 100644
--- a/chromium/services/service_manager/sandbox/mac/sandbox_mac.h
+++ b/chromium/services/service_manager/sandbox/mac/sandbox_mac.h
@@ -45,6 +45,9 @@ class SERVICE_MANAGER_SANDBOX_EXPORT SandboxMac {
   static const char* kSandboxBundlePath;
   static const char* kSandboxChromeBundleId;
   static const char* kSandboxComponentPath;
+#if defined(TOOLKIT_QT)
+  static const char* kSandboxQtPrefixPath;
+#endif
   static const char* kSandboxDisableDenialLogging;
   static const char* kSandboxEnableLogging;
   static const char* kSandboxHomedirAsLiteral;
diff --git a/chromium/services/service_manager/sandbox/mac/sandbox_mac.mm b/chromium/services/service_manager/sandbox/mac/sandbox_mac.mm
index eb01a0abddb..fef4c5360ae 100644
--- a/chromium/services/service_manager/sandbox/mac/sandbox_mac.mm
+++ b/chromium/services/service_manager/sandbox/mac/sandbox_mac.mm
@@ -88,6 +88,9 @@ const char* SandboxMac::kSandboxBrowserPID = "BROWSER_PID";
 const char* SandboxMac::kSandboxBundlePath = "BUNDLE_PATH";
 const char* SandboxMac::kSandboxChromeBundleId = "BUNDLE_ID";
 const char* SandboxMac::kSandboxComponentPath = "COMPONENT_PATH";
+#if defined(TOOLKIT_QT)
+const char* SandboxMac::kSandboxQtPrefixPath = "QT_PREFIX_PATH";
+#endif
 const char* SandboxMac::kSandboxDisableDenialLogging =
     "DISABLE_SANDBOX_DENIAL_LOGGING";
 const char* SandboxMac::kSandboxEnableLogging = "ENABLE_LOGGING";
author	Alexandru Croitor <alexandru.croitor@qt.io>	2019-01-17 17:46:08 +0100
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2019-01-23 09:24:38 +0000
commit	dc2a429c4dfccb045a0b2313bc3440852349bffa (patch)
tree	027032e9341c6eb6800311eda13db7850caa83bc
parent	16b9b8615d5950edf08658dbb9647c3ee12bedf7 (diff)
download	qtwebengine-chromium-dc2a429c4dfccb045a0b2313bc3440852349bffa.tar.gz