Fix sandbox on framework builds

On framework build we use bundle to get qt path. If build time bundle is picked than build path should be allowed file access. Moreover we really should be able only to access bundle path and not prefix path as resources and locales are in the webenginecore bundle. Fixes: QTBUG-104049 Change-Id: Ic7d49ddf9c31dce52f59b38a75d558c875f15dae Reviewed-by: Alexandru Croitor <alexandru.croitor@qt.io> (cherry picked from commit 62484d2b18eaec382b68b64d89e9b1bfea34321c) Reviewed-by: Jani Heikkinen <jani.heikkinen@qt.io>
author: Michal Klocek <michal.klocek@qt.io> 2022-04-06 15:34:47 +0200
committer: Allan Sandfeld Jensen <allan.jensen@qt.io> 2022-06-07 18:13:51 +0000
commit: a117c0a13cb666c972d25ce0e5413e7fe0880ef6 (patch)
tree: 8d10a7165a6f8d6dc98d8d2e249d2c1969ad9f43
parent: 88a91f8b30df1b95cf9adebacb13a8c0fc3f06c9 (diff)
3 files changed, 22 insertions, 10 deletions
diff --git a/src/core/chromium_overrides.cpp b/src/core/chromium_overrides.cpp
index 4be528f58..7a5ea3737 100644
--- a/src/core/chromium_overrides.cpp
+++ b/src/core/chromium_overrides.cpp
@@ -37,10 +37,11 @@
 **
 ****************************************************************************/
 
+#include "type_conversion.h"
 #include "ozone/gl_context_qt.h"
 #include "qtwebenginecoreglobal_p.h"
 #include "web_contents_view_qt.h"
-
+#include "web_engine_library_info.h"
 #include "base/values.h"
 #include "content/browser/renderer_host/render_widget_host_view_base.h"
 #include "content/browser/web_contents/web_contents_impl.h"
@@ -92,14 +93,20 @@ WebContentsView* CreateWebContentsView(WebContentsImpl *web_contents,
     return rv;
 }
 
-#if defined(Q_OS_MACOS)
-std::string getQtPrefix()
+#if defined(OS_MAC)
+#if defined(QT_MAC_FRAMEWORK_BUILD)
+base::FilePath getSandboxPath()
+{
+    return WebEngineLibraryInfo::getPath(QT_FRAMEWORK_BUNDLE);
+}
+#else
+base::FilePath getSandboxPath()
 {
     const QString prefix = QLibraryInfo::location(QLibraryInfo::PrefixPath);
-    return prefix.toStdString();
+    return QtWebEngineCore::toFilePath(prefix);
 }
 #endif
-
+#endif
 } // namespace content
 
 #if defined(USE_AURA) || defined(USE_OZONE)
diff --git a/src/core/web_engine_library_info.cpp b/src/core/web_engine_library_info.cpp
index 8f580e53a..6d6543272 100644
--- a/src/core/web_engine_library_info.cpp
+++ b/src/core/web_engine_library_info.cpp
@@ -84,7 +84,7 @@ static inline CFBundleRef frameworkBundle()
     return CFBundleGetBundleWithIdentifier(CFSTR("org.qt-project.QtWebEngineCore"));
 }
 
-static QString getPath(CFBundleRef frameworkBundle)
+static QString getBundlePath(CFBundleRef frameworkBundle)
 {
     QString path;
     // The following is a fix for QtWebEngineProcess crashes on OS X 10.7 and before.
@@ -109,11 +109,11 @@ static QString getResourcesPath(CFBundleRef frameworkBundle)
     // We use it for the other OS X versions as well to make sure it works and because
     // the directory structure should be the same.
     if (qApp->applicationName() == QLatin1String(QTWEBENGINEPROCESS_NAME)) {
-        path = getPath(frameworkBundle) % QLatin1String("/Resources");
+        path = getBundlePath(frameworkBundle) % QLatin1String("/Resources");
     } else if (frameworkBundle) {
         CFURLRef resourcesRelativeUrl = CFBundleCopyResourcesDirectoryURL(frameworkBundle);
         CFStringRef resourcesRelativePath = CFURLCopyFileSystemPath(resourcesRelativeUrl, kCFURLPOSIXPathStyle);
-        path = getPath(frameworkBundle) % QLatin1Char('/') % QString::fromCFString(resourcesRelativePath);
+        path = getBundlePath(frameworkBundle) % QLatin1Char('/') % QString::fromCFString(resourcesRelativePath);
         CFRelease(resourcesRelativePath);
         CFRelease(resourcesRelativeUrl);
     }
@@ -166,7 +166,7 @@ QString subProcessPath()
             candidatePaths << fromEnv;
         } else {
 #if defined(OS_MAC) && defined(QT_MAC_FRAMEWORK_BUILD)
-            candidatePaths << getPath(frameworkBundle())
+            candidatePaths << getBundlePath(frameworkBundle())
                               % QStringLiteral("/Helpers/" QTWEBENGINEPROCESS_NAME ".app/Contents/MacOS/" QTWEBENGINEPROCESS_NAME);
 #else
             candidatePaths << QLibraryInfo::path(QLibraryInfo::LibraryExecutablesPath)
@@ -315,6 +315,10 @@ base::FilePath WebEngineLibraryInfo::getPath(int key)
         return toFilePath(resourcesDataPath() % QLatin1String("/qtwebengine_resources_200p.pak"));
     case QT_RESOURCES_DEVTOOLS_PAK:
         return toFilePath(resourcesDataPath() % QLatin1String("/qtwebengine_devtools_resources.pak"));
+#if defined(OS_MAC) && defined(QT_MAC_FRAMEWORK_BUILD)
+    case QT_FRAMEWORK_BUNDLE:
+        return toFilePath(getBundlePath(frameworkBundle()));
+#endif
     case base::FILE_EXE:
     case content::CHILD_PROCESS_EXE:
         return toFilePath(subProcessPath());
diff --git a/src/core/web_engine_library_info.h b/src/core/web_engine_library_info.h
index 2926365bf..10542a99e 100644
--- a/src/core/web_engine_library_info.h
+++ b/src/core/web_engine_library_info.h
@@ -48,7 +48,8 @@ enum {
     QT_RESOURCES_PAK = 5000,
     QT_RESOURCES_100P_PAK = 5001,
     QT_RESOURCES_200P_PAK = 5002,
-    QT_RESOURCES_DEVTOOLS_PAK = 5003
+    QT_RESOURCES_DEVTOOLS_PAK = 5003,
+    QT_FRAMEWORK_BUNDLE = 5004
 };
 
 class WebEngineLibraryInfo {
author	Michal Klocek <michal.klocek@qt.io>	2022-04-06 15:34:47 +0200
committer	Allan Sandfeld Jensen <allan.jensen@qt.io>	2022-06-07 18:13:51 +0000
commit	a117c0a13cb666c972d25ce0e5413e7fe0880ef6 (patch)
tree	8d10a7165a6f8d6dc98d8d2e249d2c1969ad9f43
parent	88a91f8b30df1b95cf9adebacb13a8c0fc3f06c9 (diff)