[Libreoffice-commits] core.git: Branch 'distro/collabora/cp-4.2' - sal/Library_sal.mk sal/osl
Tor Lillqvist
tml at collabora.com
Mon Aug 25 21:41:42 PDT 2014
sal/Library_sal.mk | 1 +
sal/osl/unx/uunxapi.cxx | 39 +++++++++++++++++++++++++++++++++++----
2 files changed, 36 insertions(+), 4 deletions(-)
New commits:
commit fd85a9b29aab8e64389008a8055862ffc586d8a8
Author: Tor Lillqvist <tml at collabora.com>
Date: Fri Aug 15 01:39:49 2014 +0300
Don't do the security scope bookmark dance if not in a sandboxed process
No point in doing it in build-time tools like cppumaker which don't
run as sandboxed processes. Just slows them down a lot, while cfprefsd
consumes lots of CPU doing user preference lookups in vain for every
file accessed through the uunxapi functions.
Change-Id: I83e55a8e8d0c4f2c60c60ecad2c831e42c9e5bfd
diff --git a/sal/Library_sal.mk b/sal/Library_sal.mk
index cbc52a7..0df609d 100644
--- a/sal/Library_sal.mk
+++ b/sal/Library_sal.mk
@@ -80,6 +80,7 @@ $(eval $(call gb_Library_use_system_darwin_frameworks,sal,\
Carbon \
CoreFoundation \
Foundation \
+ $(if $(ENABLE_MACOSX_SANDBOX),Security) \
))
endif
diff --git a/sal/osl/unx/uunxapi.cxx b/sal/osl/unx/uunxapi.cxx
index a9f3c5f..4be32da 100644
--- a/sal/osl/unx/uunxapi.cxx
+++ b/sal/osl/unx/uunxapi.cxx
@@ -37,11 +37,36 @@ inline rtl::OString OUStringToOString(const rtl_uString* s)
#if defined(MACOSX) && MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 && HAVE_FEATURE_MACOSX_SANDBOX
+#include <Foundation/Foundation.h>
+#include <Security/Security.h>
+#include <mach-o/dyld.h>
+
static NSUserDefaults *userDefaults = NULL;
+static bool isSandboxed = false;
-static void get_user_defaults()
+static void do_once()
{
- userDefaults = [NSUserDefaults standardUserDefaults];
+ SecCodeRef code;
+ OSStatus rc = SecCodeCopySelf(kSecCSDefaultFlags, &code);
+
+ SecStaticCodeRef staticCode;
+ if (rc == errSecSuccess)
+ rc = SecCodeCopyStaticCode(code, kSecCSDefaultFlags, &staticCode);
+
+ CFDictionaryRef signingInformation;
+ if (rc == errSecSuccess)
+ rc = SecCodeCopySigningInformation(staticCode, kSecCSRequirementInformation, &signingInformation);
+
+ CFDictionaryRef entitlements = NULL;
+ if (rc == errSecSuccess)
+ entitlements = (CFDictionaryRef) CFDictionaryGetValue(signingInformation, kSecCodeInfoEntitlementsDict);
+
+ if (entitlements != NULL)
+ if (CFDictionaryGetValue(entitlements, CFSTR("com.apple.security.app-sandbox")) != NULL)
+ isSandboxed = true;
+
+ if (isSandboxed)
+ userDefaults = [NSUserDefaults standardUserDefaults];
}
typedef struct {
@@ -53,12 +78,15 @@ static accessFilePathState *
prepare_to_access_file_path( const char *cpFilePath )
{
static pthread_once_t once = PTHREAD_ONCE_INIT;
- pthread_once(&once, &get_user_defaults);
+ pthread_once(&once, &do_once);
NSURL *fileURL = nil;
NSData *data = nil;
BOOL stale;
accessFilePathState *state;
+ if (!isSandboxed)
+ return NULL;
+
// If malloc() fails we are screwed anyway
state = (accessFilePathState*) malloc(sizeof(accessFilePathState));
@@ -86,6 +114,9 @@ prepare_to_access_file_path( const char *cpFilePath )
static void
done_accessing_file_path( const char * /*cpFilePath*/, accessFilePathState *state )
{
+ if (!isSandboxed)
+ return;
+
int saved_errno = errno;
if (state->scopeURL != nil)
@@ -263,7 +294,7 @@ int open_c(const char *cpPath, int oflag, int mode)
int result = open(cpPath, oflag, mode);
#if defined(MACOSX) && MAC_OS_X_VERSION_MIN_REQUIRED >= 1070 && HAVE_FEATURE_MACOSX_SANDBOX
- if (result != -1 && (oflag & O_CREAT) && (oflag & O_EXCL))
+ if (isSandboxed && result != -1 && (oflag & O_CREAT) && (oflag & O_EXCL))
{
// A new file was created. Check if it is outside the sandbox.
// (In that case it must be one the user selected as export or
More information about the Libreoffice-commits
mailing list