diff --git a/Userland/Applications/Assistant/main.cpp b/Userland/Applications/Assistant/main.cpp index 522e65a444..ff47b44a90 100644 --- a/Userland/Applications/Assistant/main.cpp +++ b/Userland/Applications/Assistant/main.cpp @@ -188,7 +188,7 @@ static constexpr size_t MAX_SEARCH_RESULTS = 6; int main(int argc, char** argv) { - if (pledge("stdio recvfd sendfd rpath cpath unix proc exec thread", nullptr) < 0) { + if (pledge("stdio recvfd sendfd rpath cpath unix proc exec thread prot_exec", nullptr) < 0) { perror("pledge"); return 1; } diff --git a/Userland/Applications/Browser/main.cpp b/Userland/Applications/Browser/main.cpp index ccbd85693b..000dc42679 100644 --- a/Userland/Applications/Browser/main.cpp +++ b/Userland/Applications/Browser/main.cpp @@ -39,7 +39,7 @@ ErrorOr serenity_main(Main::Arguments arguments) return 1; } - TRY(Core::System::pledge("stdio recvfd sendfd unix cpath rpath wpath")); + TRY(Core::System::pledge("stdio recvfd sendfd unix cpath rpath wpath prot_exec")); const char* specified_url = nullptr; @@ -63,6 +63,7 @@ ErrorOr serenity_main(Main::Arguments arguments) TRY(Core::System::unveil("/tmp/portal/image", "rw")); TRY(Core::System::unveil("/tmp/portal/webcontent", "rw")); TRY(Core::System::unveil("/tmp/portal/request", "rw")); + TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r")); TRY(Core::System::unveil(nullptr, nullptr)); auto app_icon = GUI::Icon::default_icon("app-browser"); diff --git a/Userland/Applications/FontEditor/main.cpp b/Userland/Applications/FontEditor/main.cpp index 1193761f3a..fa365e7fb6 100644 --- a/Userland/Applications/FontEditor/main.cpp +++ b/Userland/Applications/FontEditor/main.cpp @@ -20,14 +20,14 @@ ErrorOr serenity_main(Main::Arguments arguments) { - TRY(Core::System::pledge("stdio recvfd sendfd thread rpath unix cpath wpath")); + TRY(Core::System::pledge("stdio recvfd sendfd thread rpath unix cpath wpath prot_exec")); auto app = TRY(GUI::Application::try_create(arguments)); TRY(Desktop::Launcher::add_allowed_handler_with_only_specific_urls("/bin/Help", { URL::create_with_file_protocol("/usr/share/man/man1/FontEditor.md") })); TRY(Desktop::Launcher::seal_allowlist()); - TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath")); + TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath prot_exec")); char const* path = nullptr; Core::ArgsParser args_parser; diff --git a/Userland/Applications/Spreadsheet/main.cpp b/Userland/Applications/Spreadsheet/main.cpp index 0ed5a66f22..cc2a54c694 100644 --- a/Userland/Applications/Spreadsheet/main.cpp +++ b/Userland/Applications/Spreadsheet/main.cpp @@ -22,7 +22,7 @@ int main(int argc, char* argv[]) { - if (pledge("stdio recvfd sendfd rpath fattr unix cpath wpath thread", nullptr) < 0) { + if (pledge("stdio recvfd sendfd rpath fattr unix cpath wpath thread prot_exec", nullptr) < 0) { perror("pledge"); return 1; } @@ -69,6 +69,11 @@ int main(int argc, char* argv[]) return 1; } + if (unveil("/usr/lib/libunicodedata.so.serenity", "r") < 0) { + perror("unveil"); + return 1; + } + if (unveil(nullptr, nullptr) < 0) { perror("unveil"); return 1; diff --git a/Userland/Applications/TextEditor/main.cpp b/Userland/Applications/TextEditor/main.cpp index 39dafd459e..861d71a11e 100644 --- a/Userland/Applications/TextEditor/main.cpp +++ b/Userland/Applications/TextEditor/main.cpp @@ -18,7 +18,7 @@ using namespace TextEditor; ErrorOr serenity_main(Main::Arguments arguments) { - TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath unix")); + TRY(Core::System::pledge("stdio recvfd sendfd thread rpath cpath wpath unix prot_exec")); auto app = TRY(GUI::Application::try_create(arguments)); @@ -35,6 +35,7 @@ ErrorOr serenity_main(Main::Arguments arguments) TRY(Core::System::unveil("/tmp/portal/launch", "rw")); TRY(Core::System::unveil("/tmp/portal/webcontent", "rw")); TRY(Core::System::unveil("/tmp/portal/filesystemaccess", "rw")); + TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r")); TRY(Core::System::unveil(nullptr, nullptr)); StringView preview_mode_view = preview_mode; diff --git a/Userland/Services/WebContent/main.cpp b/Userland/Services/WebContent/main.cpp index 8bb754281c..ef700f53ef 100644 --- a/Userland/Services/WebContent/main.cpp +++ b/Userland/Services/WebContent/main.cpp @@ -14,11 +14,12 @@ ErrorOr serenity_main(Main::Arguments) { Core::EventLoop event_loop; - TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath")); + TRY(Core::System::pledge("stdio recvfd sendfd accept unix rpath prot_exec")); TRY(Core::System::unveil("/res", "r")); TRY(Core::System::unveil("/tmp/portal/request", "rw")); TRY(Core::System::unveil("/tmp/portal/image", "rw")); TRY(Core::System::unveil("/tmp/portal/websocket", "rw")); + TRY(Core::System::unveil("/usr/lib/libunicodedata.so.serenity", "r")); TRY(Core::System::unveil(nullptr, nullptr)); auto client = TRY(IPC::take_over_accepted_client_from_system_server()); diff --git a/Userland/Utilities/js.cpp b/Userland/Utilities/js.cpp index 1ebfd28c27..85a24ae7e4 100644 --- a/Userland/Utilities/js.cpp +++ b/Userland/Utilities/js.cpp @@ -1207,7 +1207,7 @@ public: ErrorOr serenity_main(Main::Arguments arguments) { #ifdef __serenity__ - TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction")); + TRY(Core::System::pledge("stdio rpath wpath cpath tty sigaction prot_exec")); #endif bool gc_on_every_allocation = false;