Userland: Link directly against LibUnicodeData where needed

This is partially a revert of commits: 10a8b6d411 561b67a1ad Rather than adding the prot_exec pledge requried to use dlopen(), we can link directly against LibUnicodeData in applications that we know need that library. This might make the dlopen() dance a bit unnecessary. The same purpose might now be fulfilled with weak symbols. That can be revisted next, but for now, this at least removes the potential security risk of apps like the Browser having prot_exec privileges.
Author: https://github.com/trflynn89 Commit: https://github.com/SerenityOS/serenity/commit/565a880ce5a Pull-request: https://github.com/SerenityOS/serenity/pull/11491 Reviewed-by: https://github.com/bgianfo ✅
2024-12-27 21:21:50 +03:00 · 2021-12-29 13:10:12 -05:00 · 2021-12-29 13:10:12 -05:00 · 565a880ce5 · 2024-07-17 21:57:06 +09:00
commit 565a880ce5
parent 0c84957eba
17 changed files with 18 additions and 18 deletions
--- a/Userland/Applications/Assistant/CMakeLists.txt
+++ b/Userland/Applications/Assistant/CMakeLists.txt
@ -12,3 +12,4 @@ set(SOURCES

 serenity_app(Assistant ICON app-run)
 target_link_libraries(Assistant LibCore LibDesktop LibGUI LibJS LibThreading)
+link_with_unicode_data(Assistant)
--- a/Userland/Applications/Assistant/main.cpp
+++ b/Userland/Applications/Assistant/main.cpp
@ -188,7 +188,7 @@ static constexpr size_t MAX_SEARCH_RESULTS = 6;

 int main(int argc, char** argv)
 {
-    if (pledge("stdio recvfd sendfd rpath cpath unix proc exec thread prot_exec", nullptr) < 0) {
+    if (pledge("stdio recvfd sendfd rpath cpath unix proc exec thread", nullptr) < 0) {
        perror("pledge");
        return 1;
    }
--- a/Userland/Applications/Browser/CMakeLists.txt
+++ b/Userland/Applications/Browser/CMakeLists.txt
@ -27,3 +27,4 @@ set(SOURCES

 serenity_app(Browser ICON app-browser)
 target_link_libraries(Browser LibWeb LibProtocol LibGUI LibDesktop LibConfig LibMain)
+link_with_unicode_data(Browser)
--- a/Userland/Applications/Browser/main.cpp
+++ b/Userland/Applications/Browser/main.cpp
@ -39,7 +39,7 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
        return 1;
    }

-    TRY(Core::System::pledge("stdio recvfd sendfd unix cpath rpath wpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd unix cpath rpath wpath"));

    const char* specified_url = nullptr;

@ -63,7 +63,6 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
    TRY(Core::System::unveil("/tmp/portal/image", "rw"));
    TRY(Core::System::unveil("/tmp/portal/webcontent", "rw"));
    TRY(Core::System::unveil("/tmp/portal/request", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
    TRY(Core::System::unveil(nullptr, nullptr));

    auto app_icon = GUI::Icon::default_icon("app-browser");
--- a/Userland/Applications/FontEditor/CMakeLists.txt
+++ b/Userland/Applications/FontEditor/CMakeLists.txt
@ -23,3 +23,4 @@ set(SOURCES

 serenity_app(FontEditor ICON app-font-editor)
 target_link_libraries(FontEditor LibGUI LibDesktop LibGfx LibMain)
+link_with_unicode_data(FontEditor)
--- a/Userland/Applications/FontEditor/main.cpp
+++ b/Userland/Applications/FontEditor/main.cpp
@ -20,14 +20,14 @@

 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
-    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath unix cpath wpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath unix cpath wpath"));

    auto app = TRY(GUI::Application::try_create(arguments));

    TRY(Desktop::Launcher::add_allowed_handler_with_only_specific_urls("/bin/Help", { URL::create_with_file_protocol("/usr/share/man/man1/FontEditor.md") }));
    TRY(Desktop::Launcher::seal_allowlist());

-    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath"));

    char const* path = nullptr;
    Core::ArgsParser args_parser;
--- a/Userland/Applications/Help/CMakeLists.txt
+++ b/Userland/Applications/Help/CMakeLists.txt
@ -14,3 +14,4 @@ set(SOURCES

 serenity_app(Help ICON app-help)
 target_link_libraries(Help LibWeb LibMarkdown LibGUI LibDesktop LibMain)
+link_with_unicode_data(Help)
--- a/Userland/Applications/Help/main.cpp
+++ b/Userland/Applications/Help/main.cpp
@ -36,14 +36,13 @@

 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
-    TRY(Core::System::pledge("stdio recvfd sendfd rpath unix prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd rpath unix"));
    auto app = TRY(GUI::Application::try_create(arguments));

    TRY(Core::System::unveil("/res", "r"));
    TRY(Core::System::unveil("/usr/share/man", "r"));
    TRY(Core::System::unveil("/tmp/portal/launch", "rw"));
    TRY(Core::System::unveil("/tmp/portal/webcontent", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
    TRY(Core::System::unveil(nullptr, nullptr));

    char const* start_page = nullptr;
--- a/Userland/Applications/Spreadsheet/CMakeLists.txt
+++ b/Userland/Applications/Spreadsheet/CMakeLists.txt
@ -42,6 +42,7 @@ set(GENERATED_SOURCES

 serenity_app(Spreadsheet ICON app-spreadsheet)
 target_link_libraries(Spreadsheet LibGUI LibJS LibWeb)
+link_with_unicode_data(Spreadsheet)

 serenity_test(Writers/Test/TestXSVWriter.cpp Spreadsheet)

--- a/Userland/Applications/Spreadsheet/main.cpp
+++ b/Userland/Applications/Spreadsheet/main.cpp
@ -22,7 +22,7 @@

 int main(int argc, char* argv[])
 {
-    if (pledge("stdio recvfd sendfd rpath fattr unix cpath wpath thread prot_exec", nullptr) < 0) {
+    if (pledge("stdio recvfd sendfd rpath fattr unix cpath wpath thread", nullptr) < 0) {
        perror("pledge");
        return 1;
    }
@ -69,11 +69,6 @@ int main(int argc, char* argv[])
        return 1;
    }

-    if (unveil("/usr/lib/libunicodedata.so.serenity", "r") < 0) {
-        perror("unveil");
-        return 1;
-    }
-
    if (unveil(nullptr, nullptr) < 0) {
        perror("unveil");
        return 1;
--- a/Userland/Applications/TextEditor/CMakeLists.txt
+++ b/Userland/Applications/TextEditor/CMakeLists.txt
@ -16,3 +16,4 @@ set(SOURCES

 serenity_app(TextEditor ICON app-text-editor)
 target_link_libraries(TextEditor LibWeb LibMarkdown LibGUI LibShell LibRegex LibDesktop LibCpp LibJS LibSQL LibFileSystemAccessClient LibConfig LibMain)
+link_with_unicode_data(TextEditor)
--- a/Userland/Applications/TextEditor/main.cpp
+++ b/Userland/Applications/TextEditor/main.cpp
@ -18,7 +18,7 @@ using namespace TextEditor;

 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
-    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath unix prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath unix"));

    auto app = TRY(GUI::Application::try_create(arguments));

@ -35,7 +35,6 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
    TRY(Core::System::unveil("/tmp/portal/launch", "rw"));
    TRY(Core::System::unveil("/tmp/portal/webcontent", "rw"));
    TRY(Core::System::unveil("/tmp/portal/filesystemaccess", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
    TRY(Core::System::unveil(nullptr, nullptr));

    StringView preview_mode_view = preview_mode;
--- a/Userland/DevTools/HackStudio/CMakeLists.txt
+++ b/Userland/DevTools/HackStudio/CMakeLists.txt
@ -51,4 +51,5 @@ set(SOURCES

 serenity_app(HackStudio ICON app-hack-studio)
 target_link_libraries(HackStudio LibWeb LibMarkdown LibGUI LibCpp LibGfx LibCore LibVT LibDebug LibX86 LibDiff LibShell LibSymbolication LibRegex LibSQL LibCoredump LibMain)
+link_with_unicode_data(HackStudio)
 add_dependencies(HackStudio CppLanguageServer)
--- a/Userland/Services/WebContent/CMakeLists.txt
+++ b/Userland/Services/WebContent/CMakeLists.txt
@ -18,3 +18,4 @@ set(SOURCES

 serenity_bin(WebContent)
 target_link_libraries(WebContent LibCore LibIPC LibGfx LibWeb LibMain)
+link_with_unicode_data(WebContent)
--- a/Userland/Services/WebContent/main.cpp
+++ b/Userland/Services/WebContent/main.cpp
@ -14,12 +14,11 @@
 ErrorOr<int> serenity_main(Main::Arguments)
 {
    Core::EventLoop event_loop;
-    TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath"));
    TRY(Core::System::unveil("/res", "r"));
    TRY(Core::System::unveil("/tmp/portal/request", "rw"));
    TRY(Core::System::unveil("/tmp/portal/image", "rw"));
    TRY(Core::System::unveil("/tmp/portal/websocket", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
    TRY(Core::System::unveil(nullptr, nullptr));

    auto client = TRY(IPC::take_over_accepted_client_from_system_server<WebContent::ClientConnection>());
--- a/Userland/Utilities/CMakeLists.txt
+++ b/Userland/Utilities/CMakeLists.txt
@ -104,6 +104,7 @@ target_link_libraries(id LibMain)
 target_link_libraries(ini LibMain)
 target_link_libraries(jp LibMain)
 target_link_libraries(js LibJS LibLine LibMain)
+link_with_unicode_data(js)
 target_link_libraries(keymap LibKeyboard LibMain)
 target_link_libraries(less LibMain)
 target_link_libraries(logout LibMain)
--- a/Userland/Utilities/js.cpp
+++ b/Userland/Utilities/js.cpp
@ -1195,7 +1195,7 @@ private:
 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
 #ifdef __serenity__
-    TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction prot_exec"));
+    TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction"));
 #endif

    bool gc_on_every_allocation = false;