From ddee67cbde078fa816236629260ad813b279a0f4 Mon Sep 17 00:00:00 2001 From: Rintaro Ishizaki Date: Mon, 27 Feb 2023 14:39:40 -0800 Subject: [PATCH] [Macros] Update executable plugin sandbox profile to prohibit file-read Except for dylibs. --- lib/Basic/Sandbox.cpp | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/lib/Basic/Sandbox.cpp b/lib/Basic/Sandbox.cpp index 8a71715e4c343..3249b2f38a191 100644 --- a/lib/Basic/Sandbox.cpp +++ b/lib/Basic/Sandbox.cpp @@ -21,8 +21,11 @@ static StringRef sandboxProfile(llvm::BumpPtrAllocator &Alloc) { // Import the system sandbox profile. contents += "(import \"system.sb\")\n"; - // Allow reading all files, we need to read various system files. - contents += "(allow file-read*)\n"; + // Allow reading file metadata of any files. + contents += "(allow file-read-metadata)\n"; + + // Allow reading dylibs. + contents += "(allow file-read* (regex #\"\\.dylib$\"))\n"; // This is required to launch any processes (execve(2)). contents += "(allow process-exec*)\n";