Bug 1369764 - in the macOS sandbox, allow reads from .app/Contents/; r?haik
This permits NSS to load libsoftokn3.dylib, even when the rest of the file
system's access is removed (as is the goal for the content sandbox level 3).
This is needed for WebCrypto.
MozReview-Commit-ID: Bh54b87zIjY
--- a/dom/ipc/ContentChild.cpp
+++ b/dom/ipc/ContentChild.cpp
@@ -1276,34 +1276,42 @@ GetAppPaths(nsCString &aAppPath, nsCStri
return false;
}
bool exists;
rv = appDir->Exists(&exists);
if (NS_FAILED(rv) || !exists) {
return false;
}
+ // appDir points to .app/Contents/Resources, for our purposes we want
+ // .app/Contents.
+ nsCOMPtr<nsIFile> appDirParent;
+ rv = appDir->GetParent(getter_AddRefs(appDirParent));
+ if (NS_FAILED(rv)) {
+ return false;
+ }
+
bool isLink;
app->IsSymlink(&isLink);
if (isLink) {
app->GetNativeTarget(aAppPath);
} else {
app->GetNativePath(aAppPath);
}
appBinary->IsSymlink(&isLink);
if (isLink) {
appBinary->GetNativeTarget(aAppBinaryPath);
} else {
appBinary->GetNativePath(aAppBinaryPath);
}
- appDir->IsSymlink(&isLink);
+ appDirParent->IsSymlink(&isLink);
if (isLink) {
- appDir->GetNativeTarget(aAppDir);
+ appDirParent->GetNativeTarget(aAppDir);
} else {
- appDir->GetNativePath(aAppDir);
+ appDirParent->GetNativePath(aAppDir);
}
return true;
}
// Returns whether or not the currently running build is a development build -
// where development build means "the files in the .app are symlinks to the src
// directory". This check is implemented by looking for omni.ja in