content/common/sandbox_mac.mm - Issue 469383002: Fix Mac sandbox meta data access (reland)

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Unified Diff: content/common/sandbox_mac.mm

Issue 469383002: Fix Mac sandbox meta data access (reland) (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master

Patch Set: Typo fix Created 6 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View side-by-side diff with in-line comments

Download patch

Index: content/common/sandbox_mac.mm

diff --git a/content/common/sandbox_mac.mm b/content/common/sandbox_mac.mm

index c7c126594aec3fb2abae774f3359e9a3a1b83c81..8b4dfe3f5f3f24394c4fdb1a3951e2e38a8f5e2e 100644

--- a/content/common/sandbox_mac.mm

+++ b/content/common/sandbox_mac.mm

@@ -114,12 +114,14 @@ NSString* Sandbox::AllowMetadataForPath(const base::FilePath& allowed_path) {

// Collect a list of all parent directories.

base::FilePath last_path = allowed_path;

std::vector<base::FilePath> subpaths;

- for (base::FilePath path = allowed_path;

- path.value() != last_path.value();

- path = path.DirName()) {

+ base::FilePath path = allowed_path;

+ do {

subpaths.push_back(path);

last_path = path;

- }

+ path = path.DirName();

+ } while (path.value() != last_path.value());

// Iterate through all parents and allow stat() on them explicitly.

NSString* sandbox_command = @"(allow file-read-metadata ";

@@ -570,6 +572,22 @@ bool Sandbox::EnableSandbox(int sandbox_type,

[base::mac::MainBundle() executablePath]);

NSString* sandbox_command = AllowMetadataForPath(

GetCanonicalSandboxPath(bundle_executable));

+ // In addition to the workaround above, for OS X <= 10.6 we also need to

+ // allow reading file metadata for all the dylibs under the same directory

+ // containing the Chrome bundle. It requires to go 5 levels up from main

+ // bundle path because the main bundle here is the Helper.app bundle.

+ base::FilePath product_path = base::mac::MainBundlePath()

+ .DirName()

+ .DirName();

+ sandbox_command = [sandbox_command

+ stringByAppendingFormat:

+ @"(allow file-read-metadata (regex #\"^%@/.*\\.dylib$\"))",

+ base::mac::FilePathToNSString(product_path)];

substitutions["COMPONENT_BUILD_WORKAROUND"] =

SandboxSubstring(base::SysNSStringToUTF8(sandbox_command));

}

« no previous file with comments | « content/common/sandbox_mac.h ('k') | content/common/sandbox_mac_diraccess_unittest.mm » ('j') | no next file with comments »