Userland: Link directly against LibUnicodeData where needed

This is partially a revert of commits: 10a8b6d4116c6a627a6c189154af032f69b29c21 561b67a1add82538502ef2f5733f1d86718898ad Rather than adding the prot_exec pledge requried to use dlopen(), we can link directly against LibUnicodeData in applications that we know need that library. This might make the dlopen() dance a bit unnecessary. The same purpose might now be fulfilled with weak symbols. That can be revisted next, but for now, this at least removes the potential security risk of apps like the Browser having prot_exec privileges.
author: Timothy Flynn <trflynn89@pm.me> 2021-12-29 13:10:12 -0500
committer: Andreas Kling <kling@serenityos.org> 2021-12-30 14:18:12 +0100
commit: 565a880ce5a14bac817c73916e91ebfa04c8b99b (patch)
tree: c72ea83b52dd43711c4f0fc32367165d839e77ba
parent: 0c84957eba4ef71ac45d7b1dcf6a79146448ebd5 (diff)
download: serenity-565a880ce5a14bac817c73916e91ebfa04c8b99b.zip
17 files changed, 18 insertions, 18 deletions
diff --git a/Userland/Applications/Assistant/CMakeLists.txt b/Userland/Applications/Assistant/CMakeLists.txt
index 3a807ef3a8..3f0e6c7cdd 100644
--- a/Userland/Applications/Assistant/CMakeLists.txt
+++ b/Userland/Applications/Assistant/CMakeLists.txt
@@ -12,3 +12,4 @@ set(SOURCES
 
 serenity_app(Assistant ICON app-run)
 target_link_libraries(Assistant LibCore LibDesktop LibGUI LibJS LibThreading)
+link_with_unicode_data(Assistant)
diff --git a/Userland/Applications/Assistant/main.cpp b/Userland/Applications/Assistant/main.cpp
index ff47b44a90..522e65a444 100644
--- a/Userland/Applications/Assistant/main.cpp
+++ b/Userland/Applications/Assistant/main.cpp
@@ -188,7 +188,7 @@ static constexpr size_t MAX_SEARCH_RESULTS = 6;
 
 int main(int argc, char** argv)
 {
-    if (pledge("stdio recvfd sendfd rpath cpath unix proc exec thread prot_exec", nullptr) < 0) {
+    if (pledge("stdio recvfd sendfd rpath cpath unix proc exec thread", nullptr) < 0) {
         perror("pledge");
         return 1;
     }
diff --git a/Userland/Applications/Browser/CMakeLists.txt b/Userland/Applications/Browser/CMakeLists.txt
index 542af7d4a8..f46be1c7c8 100644
--- a/Userland/Applications/Browser/CMakeLists.txt
+++ b/Userland/Applications/Browser/CMakeLists.txt
@@ -27,3 +27,4 @@ set(SOURCES
 
 serenity_app(Browser ICON app-browser)
 target_link_libraries(Browser LibWeb LibProtocol LibGUI LibDesktop LibConfig LibMain)
+link_with_unicode_data(Browser)
diff --git a/Userland/Applications/Browser/main.cpp b/Userland/Applications/Browser/main.cpp
index 000dc42679..ccbd85693b 100644
--- a/Userland/Applications/Browser/main.cpp
+++ b/Userland/Applications/Browser/main.cpp
@@ -39,7 +39,7 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
         return 1;
     }
 
-    TRY(Core::System::pledge("stdio recvfd sendfd unix cpath rpath wpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd unix cpath rpath wpath"));
 
     const char* specified_url = nullptr;
 
@@ -63,7 +63,6 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
     TRY(Core::System::unveil("/tmp/portal/image", "rw"));
     TRY(Core::System::unveil("/tmp/portal/webcontent", "rw"));
     TRY(Core::System::unveil("/tmp/portal/request", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
     TRY(Core::System::unveil(nullptr, nullptr));
 
     auto app_icon = GUI::Icon::default_icon("app-browser");
diff --git a/Userland/Applications/FontEditor/CMakeLists.txt b/Userland/Applications/FontEditor/CMakeLists.txt
index 2b4d8313d9..82e01123d1 100644
--- a/Userland/Applications/FontEditor/CMakeLists.txt
+++ b/Userland/Applications/FontEditor/CMakeLists.txt
@@ -23,3 +23,4 @@ set(SOURCES
 
 serenity_app(FontEditor ICON app-font-editor)
 target_link_libraries(FontEditor LibGUI LibDesktop LibGfx LibMain)
+link_with_unicode_data(FontEditor)
diff --git a/Userland/Applications/FontEditor/main.cpp b/Userland/Applications/FontEditor/main.cpp
index fa365e7fb6..1193761f3a 100644
--- a/Userland/Applications/FontEditor/main.cpp
+++ b/Userland/Applications/FontEditor/main.cpp
@@ -20,14 +20,14 @@
 
 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
-    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath unix cpath wpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath unix cpath wpath"));
 
     auto app = TRY(GUI::Application::try_create(arguments));
 
     TRY(Desktop::Launcher::add_allowed_handler_with_only_specific_urls("/bin/Help", { URL::create_with_file_protocol("/usr/share/man/man1/FontEditor.md") }));
     TRY(Desktop::Launcher::seal_allowlist());
 
-    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath"));
 
     char const* path = nullptr;
     Core::ArgsParser args_parser;
diff --git a/Userland/Applications/Help/CMakeLists.txt b/Userland/Applications/Help/CMakeLists.txt
index 1af4a46404..dad69f3f57 100644
--- a/Userland/Applications/Help/CMakeLists.txt
+++ b/Userland/Applications/Help/CMakeLists.txt
@@ -14,3 +14,4 @@ set(SOURCES
 
 serenity_app(Help ICON app-help)
 target_link_libraries(Help LibWeb LibMarkdown LibGUI LibDesktop LibMain)
+link_with_unicode_data(Help)
diff --git a/Userland/Applications/Help/main.cpp b/Userland/Applications/Help/main.cpp
index be5574d708..afebffbfd3 100644
--- a/Userland/Applications/Help/main.cpp
+++ b/Userland/Applications/Help/main.cpp
@@ -36,14 +36,13 @@
 
 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
-    TRY(Core::System::pledge("stdio recvfd sendfd rpath unix prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd rpath unix"));
     auto app = TRY(GUI::Application::try_create(arguments));
 
     TRY(Core::System::unveil("/res", "r"));
     TRY(Core::System::unveil("/usr/share/man", "r"));
     TRY(Core::System::unveil("/tmp/portal/launch", "rw"));
     TRY(Core::System::unveil("/tmp/portal/webcontent", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
     TRY(Core::System::unveil(nullptr, nullptr));
 
     char const* start_page = nullptr;
diff --git a/Userland/Applications/Spreadsheet/CMakeLists.txt b/Userland/Applications/Spreadsheet/CMakeLists.txt
index 0f0eeec27d..a98e03325e 100644
--- a/Userland/Applications/Spreadsheet/CMakeLists.txt
+++ b/Userland/Applications/Spreadsheet/CMakeLists.txt
@@ -42,6 +42,7 @@ set(GENERATED_SOURCES
 
 serenity_app(Spreadsheet ICON app-spreadsheet)
 target_link_libraries(Spreadsheet LibGUI LibJS LibWeb)
+link_with_unicode_data(Spreadsheet)
 
 serenity_test(Writers/Test/TestXSVWriter.cpp Spreadsheet)
 
diff --git a/Userland/Applications/Spreadsheet/main.cpp b/Userland/Applications/Spreadsheet/main.cpp
index cc2a54c694..0ed5a66f22 100644
--- a/Userland/Applications/Spreadsheet/main.cpp
+++ b/Userland/Applications/Spreadsheet/main.cpp
@@ -22,7 +22,7 @@
 
 int main(int argc, char* argv[])
 {
-    if (pledge("stdio recvfd sendfd rpath fattr unix cpath wpath thread prot_exec", nullptr) < 0) {
+    if (pledge("stdio recvfd sendfd rpath fattr unix cpath wpath thread", nullptr) < 0) {
         perror("pledge");
         return 1;
     }
@@ -69,11 +69,6 @@ int main(int argc, char* argv[])
         return 1;
     }
 
-    if (unveil("/usr/lib/libunicodedata.so.serenity", "r") < 0) {
-        perror("unveil");
-        return 1;
-    }
-
     if (unveil(nullptr, nullptr) < 0) {
         perror("unveil");
         return 1;
diff --git a/Userland/Applications/TextEditor/CMakeLists.txt b/Userland/Applications/TextEditor/CMakeLists.txt
index ed9df126c8..f1c18a83bf 100644
--- a/Userland/Applications/TextEditor/CMakeLists.txt
+++ b/Userland/Applications/TextEditor/CMakeLists.txt
@@ -16,3 +16,4 @@ set(SOURCES
 
 serenity_app(TextEditor ICON app-text-editor)
 target_link_libraries(TextEditor LibWeb LibMarkdown LibGUI LibShell LibRegex LibDesktop LibCpp LibJS LibSQL LibFileSystemAccessClient LibConfig LibMain)
+link_with_unicode_data(TextEditor)
diff --git a/Userland/Applications/TextEditor/main.cpp b/Userland/Applications/TextEditor/main.cpp
index 861d71a11e..39dafd459e 100644
--- a/Userland/Applications/TextEditor/main.cpp
+++ b/Userland/Applications/TextEditor/main.cpp
@@ -18,7 +18,7 @@ using namespace TextEditor;
 
 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
-    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath unix prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath unix"));
 
     auto app = TRY(GUI::Application::try_create(arguments));
 
@@ -35,7 +35,6 @@ ErrorOr<int> serenity_main(Main::Arguments arguments)
     TRY(Core::System::unveil("/tmp/portal/launch", "rw"));
     TRY(Core::System::unveil("/tmp/portal/webcontent", "rw"));
     TRY(Core::System::unveil("/tmp/portal/filesystemaccess", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
     TRY(Core::System::unveil(nullptr, nullptr));
 
     StringView preview_mode_view = preview_mode;
diff --git a/Userland/DevTools/HackStudio/CMakeLists.txt b/Userland/DevTools/HackStudio/CMakeLists.txt
index 8f6cc83d5e..e9a2a29a66 100644
--- a/Userland/DevTools/HackStudio/CMakeLists.txt
+++ b/Userland/DevTools/HackStudio/CMakeLists.txt
@@ -51,4 +51,5 @@ set(SOURCES
 
 serenity_app(HackStudio ICON app-hack-studio)
 target_link_libraries(HackStudio LibWeb LibMarkdown LibGUI LibCpp LibGfx LibCore LibVT LibDebug LibX86 LibDiff LibShell LibSymbolication LibRegex LibSQL LibCoredump LibMain)
+link_with_unicode_data(HackStudio)
 add_dependencies(HackStudio CppLanguageServer)
diff --git a/Userland/Services/WebContent/CMakeLists.txt b/Userland/Services/WebContent/CMakeLists.txt
index b712d0487f..5a660ef194 100644
--- a/Userland/Services/WebContent/CMakeLists.txt
+++ b/Userland/Services/WebContent/CMakeLists.txt
@@ -18,3 +18,4 @@ set(SOURCES
 
 serenity_bin(WebContent)
 target_link_libraries(WebContent LibCore LibIPC LibGfx LibWeb LibMain)
+link_with_unicode_data(WebContent)
diff --git a/Userland/Services/WebContent/main.cpp b/Userland/Services/WebContent/main.cpp
index ef700f53ef..8bb754281c 100644
--- a/Userland/Services/WebContent/main.cpp
+++ b/Userland/Services/WebContent/main.cpp
@@ -14,12 +14,11 @@
 ErrorOr<int> serenity_main(Main::Arguments)
 {
     Core::EventLoop event_loop;
-    TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath prot_exec"));
+    TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath"));
     TRY(Core::System::unveil("/res", "r"));
     TRY(Core::System::unveil("/tmp/portal/request", "rw"));
     TRY(Core::System::unveil("/tmp/portal/image", "rw"));
     TRY(Core::System::unveil("/tmp/portal/websocket", "rw"));
-    TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r"));
     TRY(Core::System::unveil(nullptr, nullptr));
 
     auto client = TRY(IPC::take_over_accepted_client_from_system_server<WebContent::ClientConnection>());
diff --git a/Userland/Utilities/CMakeLists.txt b/Userland/Utilities/CMakeLists.txt
index 1ae985b01b..253b59fcf8 100644
--- a/Userland/Utilities/CMakeLists.txt
+++ b/Userland/Utilities/CMakeLists.txt
@@ -104,6 +104,7 @@ target_link_libraries(id LibMain)
 target_link_libraries(ini LibMain)
 target_link_libraries(jp LibMain)
 target_link_libraries(js LibJS LibLine LibMain)
+link_with_unicode_data(js)
 target_link_libraries(keymap LibKeyboard LibMain)
 target_link_libraries(less LibMain)
 target_link_libraries(logout LibMain)
diff --git a/Userland/Utilities/js.cpp b/Userland/Utilities/js.cpp
index 917aebc30a..480eaba48e 100644
--- a/Userland/Utilities/js.cpp
+++ b/Userland/Utilities/js.cpp
@@ -1195,7 +1195,7 @@ private:
 ErrorOr<int> serenity_main(Main::Arguments arguments)
 {
 #ifdef __serenity__
-    TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction prot_exec"));
+    TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction"));
 #endif
 
     bool gc_on_every_allocation = false;
author	Timothy Flynn <trflynn89@pm.me>	2021-12-29 13:10:12 -0500
committer	Andreas Kling <kling@serenityos.org>	2021-12-30 14:18:12 +0100
commit	565a880ce5a14bac817c73916e91ebfa04c8b99b (patch)
tree	c72ea83b52dd43711c4f0fc32367165d839e77ba
parent	0c84957eba4ef71ac45d7b1dcf6a79146448ebd5 (diff)
download	serenity-565a880ce5a14bac817c73916e91ebfa04c8b99b.zip