From a63330077fa7fad9b2605558164284338ee77b67 Mon Sep 17 00:00:00 2001 From: Andreas Kling Date: Sun, 3 Jan 2021 12:10:34 +0100 Subject: [PATCH] Browser: Tell LaunchServer we only want to show the downloads directory Browser only uses LaunchServer for one thing: to open the user's downloads directory after a download is finished. Eventually I'd like to move this functionality to a separate download manager service, but for now, let's at least lock down what Browser is able to ask LaunchServer to do. :^) --- Applications/Browser/main.cpp | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/Applications/Browser/main.cpp b/Applications/Browser/main.cpp index 112bb2633b..2a67e846e0 100644 --- a/Applications/Browser/main.cpp +++ b/Applications/Browser/main.cpp @@ -35,6 +35,7 @@ #include #include #include +#include #include #include #include @@ -85,7 +86,15 @@ int main(int argc, char** argv) // Connect to the ProtocolServer immediately so we can drop the "unix" pledge. Web::ResourceLoader::the(); - // FIXME: Once there is a standalone Download Manager, we can drop the "unix" pledge. + // Connect to LaunchServer immediately and let it know that we won't ask for anything other than opening + // the user's downloads directory. + // FIXME: This should go away with a standalone download manager at some point. + if (!Desktop::Launcher::add_allowed_url(URL::create_with_file_protocol(Core::StandardPaths::downloads_directory())) + || !Desktop::Launcher::seal_allowlist()) { + warnln("Failed to set up allowed launch URLs"); + return 1; + } + if (pledge("stdio shared_buffer accept unix cpath rpath wpath sendfd recvfd", nullptr) < 0) { perror("pledge"); return 1; @@ -106,12 +115,6 @@ int main(int argc, char** argv) return 1; } - // FIXME: Once there is a standalone Download Manager, we don't need to unveil this - if (unveil("/tmp/portal/launch", "rw") < 0) { - perror("unveil"); - return 1; - } - if (unveil("/tmp/portal/image", "rw") < 0) { perror("unveil"); return 1;