[Sandbox] Reduce entitlements granted by default
Since App Store approval decided these suddenly matter. Signed-off-by: Christopher Snowhill <kode54@gmail.com>swiftingly
parent
a35459719d
commit
8b7418857d
|
@ -9,14 +9,8 @@
|
|||
</array>
|
||||
<key>com.apple.security.app-sandbox</key>
|
||||
<true/>
|
||||
<key>com.apple.security.assets.movies.read-only</key>
|
||||
<true/>
|
||||
<key>com.apple.security.assets.music.read-only</key>
|
||||
<true/>
|
||||
<key>com.apple.security.cs.allow-jit</key>
|
||||
<true/>
|
||||
<key>com.apple.security.files.downloads.read-only</key>
|
||||
<true/>
|
||||
<key>com.apple.security.files.user-selected.read-write</key>
|
||||
<true/>
|
||||
<key>com.apple.security.network.client</key>
|
||||
|
|
|
@ -24,35 +24,6 @@
|
|||
@property(nonatomic) NSURL *_Nullable url;
|
||||
@end
|
||||
|
||||
static NSURL *containerDirectory(void) {
|
||||
NSString *path = [@"~" stringByExpandingTildeInPath];
|
||||
return [NSURL fileURLWithPath:path];
|
||||
}
|
||||
|
||||
// XXX this is only for comparison, not "escaping the sandbox"
|
||||
static NSURL *pathEscape(NSString *path) {
|
||||
NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
|
||||
NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
|
||||
if(rangeOfMatch.location != NSNotFound)
|
||||
path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
|
||||
return [NSURL fileURLWithPath:path];
|
||||
}
|
||||
|
||||
static NSURL *defaultMusicDirectory(void) {
|
||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
|
||||
return pathEscape(path);
|
||||
}
|
||||
|
||||
static NSURL *defaultDownloadsDirectory(void) {
|
||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
|
||||
return pathEscape(path);
|
||||
}
|
||||
|
||||
static NSURL *defaultMoviesDirectory(void) {
|
||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
|
||||
return pathEscape(path);
|
||||
}
|
||||
|
||||
@interface PathItem : NSObject
|
||||
@property(nonatomic, strong) NSString *path;
|
||||
@property(nonatomic) BOOL enabled;
|
||||
|
@ -99,12 +70,6 @@ static NSURL *defaultMoviesDirectory(void) {
|
|||
|
||||
if(!results || [results count] < 1) return;
|
||||
|
||||
NSURL *defaultMusic = defaultMusicDirectory();
|
||||
NSURL *defaultDownloads = defaultDownloadsDirectory();
|
||||
NSURL *defaultMovies = defaultMoviesDirectory();
|
||||
|
||||
NSURL *container = containerDirectory();
|
||||
|
||||
id sandboxBrokerClass = NSClassFromString(@"SandboxBroker");
|
||||
|
||||
NSMutableArray *items = [[NSMutableArray alloc] init];
|
||||
|
@ -125,7 +90,8 @@ static NSURL *defaultMoviesDirectory(void) {
|
|||
// Add other system paths to this setting
|
||||
NSString *fileTreePath = [[NSUserDefaults standardUserDefaults] stringForKey:@"fileTreeRootURL"];
|
||||
if(fileTreePath && [fileTreePath length]) {
|
||||
[array addObject:[NSURL URLWithString:fileTreePath]];
|
||||
// Append false name to dodge the directory/fragment trimmer
|
||||
[array addObject:[NSURL URLWithString:[fileTreePath stringByAppendingPathComponent:@"moo.mp3"]]];
|
||||
}
|
||||
|
||||
NSString *soundFontPath = [[NSUserDefaults standardUserDefaults] stringForKey:@"soundFontPath"];
|
||||
|
@ -135,14 +101,7 @@ static NSURL *defaultMoviesDirectory(void) {
|
|||
|
||||
for(NSURL *fileUrl in array) {
|
||||
NSURL *url = [sandboxBrokerClass urlWithoutFragment:fileUrl];
|
||||
if([sandboxBrokerClass isPath:url aSubdirectoryOf:defaultMusic] ||
|
||||
[sandboxBrokerClass isPath:url
|
||||
aSubdirectoryOf:defaultDownloads] ||
|
||||
[sandboxBrokerClass isPath:url
|
||||
aSubdirectoryOf:defaultMovies] ||
|
||||
[sandboxBrokerClass isPath:url
|
||||
aSubdirectoryOf:container] ||
|
||||
[sandboxPathBehaviorController matchesPath:url])
|
||||
if([sandboxPathBehaviorController matchesPath:url])
|
||||
continue;
|
||||
|
||||
NSArray *pathComponents = [url pathComponents];
|
||||
|
|
|
@ -17,40 +17,6 @@
|
|||
|
||||
#import "PlaylistController.h"
|
||||
|
||||
static NSURL *_containerDirectory = nil;
|
||||
static NSURL *_defaultMusicDirectory = nil;
|
||||
static NSURL *_defaultDownloadsDirectory = nil;
|
||||
static NSURL *_defaultMoviesDirectory = nil;
|
||||
|
||||
static NSURL *containerDirectory(void) {
|
||||
NSString *path = [@"~" stringByExpandingTildeInPath];
|
||||
return [NSURL fileURLWithPath:path];
|
||||
}
|
||||
|
||||
// XXX this is only for comparison, not "escaping the sandbox"
|
||||
static NSURL *pathEscape(NSString *path) {
|
||||
NSString *componentsToRemove = [NSString stringWithFormat:@"Library/Containers/%@/Data/", [[NSBundle mainBundle] bundleIdentifier]];
|
||||
NSRange rangeOfMatch = [path rangeOfString:componentsToRemove];
|
||||
if(rangeOfMatch.location != NSNotFound)
|
||||
path = [path stringByReplacingCharactersInRange:rangeOfMatch withString:@""];
|
||||
return [NSURL fileURLWithPath:path];
|
||||
}
|
||||
|
||||
static NSURL *defaultMusicDirectory(void) {
|
||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMusicDirectory, NSUserDomainMask, YES) lastObject];
|
||||
return pathEscape(path);
|
||||
}
|
||||
|
||||
static NSURL *defaultDownloadsDirectory(void) {
|
||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSDownloadsDirectory, NSUserDomainMask, YES) lastObject];
|
||||
return pathEscape(path);
|
||||
}
|
||||
|
||||
static NSURL *defaultMoviesDirectory(void) {
|
||||
NSString *path = [NSSearchPathForDirectoriesInDomains(NSMoviesDirectory, NSUserDomainMask, YES) lastObject];
|
||||
return pathEscape(path);
|
||||
}
|
||||
|
||||
static SandboxBroker *kSharedSandboxBroker = nil;
|
||||
|
||||
@interface SandboxEntry : NSObject {
|
||||
|
@ -69,7 +35,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
|
|||
@property NSInteger refCount;
|
||||
|
||||
- (id)initWithToken:(SandboxToken *)token;
|
||||
- (id)initWithStaticURL:(NSURL *)url;
|
||||
@end
|
||||
|
||||
@implementation SandboxEntry
|
||||
|
@ -84,17 +49,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
|
|||
return obj;
|
||||
}
|
||||
|
||||
- (id)initWithStaticURL:(NSURL *)url {
|
||||
SandboxEntry *obj = [super init];
|
||||
if(obj) {
|
||||
obj->_refCount = 1;
|
||||
obj->_secureUrl = nil;
|
||||
obj->_token = nil;
|
||||
obj->_path = [url path];
|
||||
}
|
||||
return obj;
|
||||
}
|
||||
|
||||
- (NSInteger)refCount {
|
||||
return _refCount;
|
||||
}
|
||||
|
@ -193,22 +147,6 @@ static SandboxBroker *kSharedSandboxBroker = nil;
|
|||
- (SandboxEntry *)recursivePathTest:(NSURL *)url {
|
||||
SandboxEntry *ret = nil;
|
||||
|
||||
static dispatch_once_t onceToken;
|
||||
dispatch_once(&onceToken, ^{
|
||||
_containerDirectory = containerDirectory();
|
||||
_defaultMusicDirectory = defaultMusicDirectory();
|
||||
_defaultDownloadsDirectory = defaultDownloadsDirectory();
|
||||
_defaultMoviesDirectory = defaultMoviesDirectory();
|
||||
});
|
||||
|
||||
NSArray *urls = @[_containerDirectory, _defaultMusicDirectory, _defaultDownloadsDirectory, _defaultMoviesDirectory];
|
||||
|
||||
for(NSURL *checkUrl in urls) {
|
||||
if([SandboxBroker isPath:url aSubdirectoryOf:checkUrl]) {
|
||||
return [[SandboxEntry alloc] initWithStaticURL:checkUrl];
|
||||
}
|
||||
}
|
||||
|
||||
NSPersistentContainer *pc = [SandboxBroker sharedPersistentContainer];
|
||||
|
||||
NSSortDescriptor *sortDescriptor = [NSSortDescriptor sortDescriptorWithKey:@"path.length" ascending:NO];
|
||||
|
|
Loading…
Reference in New Issue