diff options
| author | Alexandru Croitor <alexandru.croitor@qt.io> | 2019-01-17 17:46:08 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2021-10-04 10:21:11 +0200 |
| commit | a58f25b9dc95659fdf10626f22738bc57c889c3e (patch) | |
| tree | 7f54e5372ad18adf1312ace59d7b9c4d1b59f926 | |
| parent | 905adcb95ffcec3de94e30843c15fe001e9d9118 (diff) | |
| download | qtwebengine-chromium-a58f25b9dc95659fdf10626f22738bc57c889c3e.tar.gz | |
Pass Qt Prefix path to the macOS V2 Seatbelt Sandbox
The render process requires access to the Qt resources directory
(for ICU data files for example).
Pass the Qt prefix path to the sandbox rules, to allow file read
access.
Change-Id: I2364ef4711d225aae2d14da78e33c609f4f8b5bd
Fixes: QTBUG-73089
Reviewed-by: Peter Varga <pvarga@inf.u-szeged.hu>
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
| -rw-r--r-- | chromium/content/browser/sandbox_parameters_mac.mm | 15 | ||||
| -rw-r--r-- | chromium/sandbox/policy/mac/common.sb | 4 |
2 files changed, 19 insertions, 0 deletions
diff --git a/chromium/content/browser/sandbox_parameters_mac.mm b/chromium/content/browser/sandbox_parameters_mac.mm index a3c412f3656..d81655e10ac 100644 --- a/chromium/content/browser/sandbox_parameters_mac.mm +++ b/chromium/content/browser/sandbox_parameters_mac.mm @@ -38,6 +38,10 @@ namespace content { +#if defined(TOOLKIT_QT) +std::string getQtPrefix(); +#endif + namespace { absl::optional<base::FilePath>& GetNetworkTestCertsDirectory() { @@ -88,6 +92,7 @@ void AddDarwinDirs(sandbox::SeatbeltExecClient* client) { // All of the below functions populate the |client| with the parameters that the // sandbox needs to resolve information that cannot be known at build time, such // as the user's home directory. + void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) { const base::CommandLine* command_line = base::CommandLine::ForCurrentProcess(); @@ -126,6 +131,16 @@ void SetupCommonSandboxParameters(sandbox::SeatbeltExecClient* client) { CHECK(client->SetParameter(sandbox::policy::kParamOsVersion, GetOSVersion())); +#if defined(TOOLKIT_QT) + // Allow read access to files under the Qt Prefix. + const std::string qt_prefix_path_string = getQtPrefix(); + const base::FilePath qt_prefix_path = base::FilePath(qt_prefix_path_string); + const std::string qt_prefix_path_canonical = + sandbox::policy::GetCanonicalPath(qt_prefix_path).value(); + CHECK(client->SetParameter(sandbox::policy::kParamQtPrefixPath, + qt_prefix_path_canonical)); +#endif + std::string homedir = sandbox::policy::GetCanonicalPath(base::GetHomeDir()).value(); CHECK(client->SetParameter(sandbox::policy::kParamHomedirAsLiteral, homedir)); diff --git a/chromium/sandbox/policy/mac/common.sb b/chromium/sandbox/policy/mac/common.sb index 84c7e99b329..d91108341bf 100644 --- a/chromium/sandbox/policy/mac/common.sb +++ b/chromium/sandbox/policy/mac/common.sb @@ -14,6 +14,7 @@ (define bundle-id "BUNDLE_ID") (define bundle-path "BUNDLE_PATH") (define component-path "COMPONENT_PATH") +(define qt-prefix-path "QT_PREFIX_PATH") (define current-pid "CURRENT_PID") (define disable-sandbox-denial-logging "DISABLE_SANDBOX_DENIAL_LOGGING") (define enable-logging "ENABLE_LOGGING") @@ -91,6 +92,9 @@ (if (param-defined? component-path) (allow file-read* (subpath (param component-path)))) +(if (param-defined? qt-prefix-path) + (allow file-read* (subpath (param qt-prefix-path)))) + (allow process-exec (path (param executable-path))) (allow file-read* (path (param executable-path))) |