<div dir="ltr"><div class="gmail_extra"><div class="gmail_quote">On Thu, Aug 3, 2017 at 4:13 AM, Alex Lorenz via Phabricator via cfe-commits <span dir="ltr"><<a href="mailto:cfe-commits@lists.llvm.org" target="_blank">cfe-commits@lists.llvm.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">arphaman added a comment.<br>
<span class="gmail-m_-2918026198520022321gmail-"><br>
In <a href="https://reviews.llvm.org/D27827#829661" rel="noreferrer" target="_blank">https://reviews.llvm.org/D2782<wbr>7#829661</a>, @thakis wrote:<br>
<br>
> We just noticed that if you call __builtin_available() for the first time after activating your app's sandbox, the function will fail:<br>
><br>
> SandboxViolation: crdmg(15489) deny file-read-data /System/Library/CoreServices/S<wbr>ystemVersion.plist<br>
> Violation: deny file-read-data /System/Library/CoreServices/S<wbr>ystemVersion.plist<br>
> Process: crdmg [15489]<br>
> Path: /Volumes/Build/src/./out/relea<wbr>se/crdmg<br>
><br>
> Thread 0 (id: 421251):<br>
> 0 libsystem_kernel.dylib 0x00007fffe94a1a86 __open_nocancel + 10<br>
> 1 crdmg 0x000000010444be98 parseSystemVersionPList + 360<br>
> 2 0xec83485354415541<br>
<br>
<br>
</span>Hmm, never saw this before. Please post your exact configuration - clang/compiler-rt versions, OS version, toolchain & SDK. Is it possible to get a reproducer?<br></blockquote><div><br></div><div>It's in this program, which is pretty stand-alone: <a href="https://cs.chromium.org/chromium/src/chrome/utility/safe_browsing/mac/crdmg.cc?q=crdmg&sq=package:chromium&l=95" target="_blank">https://cs.<wbr>chromium.org/chromium/src/<wbr>chrome/utility/safe_browsing/<wbr>mac/crdmg.cc?q=crdmg&sq=<wbr>package:chromium&l=95</a> EnableSandbox() is on line 134. clang, compiler-rt are trunk from 2 weeks ago, SDK is 10.12, os 10.12.5. I don't think the particular version numbers matter too much though. Here's a standalone demo:</div><div><br></div><div><div>thakis-macpro:src thakis$ cat foo.cc</div><div>#include <sandbox.h></div><div>int main() {</div><div> const char sbox[] = "(version 1) (deny default)";</div><div> char* err;</div><div> ::sandbox_init(sbox, 0, &err);</div><div> if (__builtin_available(macos 10.10, *))</div><div> return 32;</div><div> else</div><div> return 14;</div><div>}</div><div>thakis-macpro:src thakis$ third_party/llvm-build/Release+Asserts/bin/clang -o foo foo.cc -isysroot $(xcrun -show-sdk-path) -mmacosx-version-min=10.9 -w && ./foo</div><div>thakis-macpro:src thakis$ echo $?</div><div>14</div></div><div><div>thakis-macpro:src thakis$ sw_vers -productVersion</div><div>10.12.5</div></div><div><br></div><div>After running that, look for "sandbox" in console.app to find the "deny file-read-data".</div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div class="gmail-m_-2918026198520022321gmail-HOEnZb"><div class="gmail-m_-2918026198520022321gmail-h5"><br>
<br>
Repository:<br>
rL LLVM<br>
<br>
<a href="https://reviews.llvm.org/D27827" rel="noreferrer" target="_blank">https://reviews.llvm.org/D2782<wbr>7</a><br>
<br>
<br>
<br>
______________________________<wbr>_________________<br>
cfe-commits mailing list<br>
<a href="mailto:cfe-commits@lists.llvm.org" target="_blank">cfe-commits@lists.llvm.org</a><br>
<a href="http://lists.llvm.org/cgi-bin/mailman/listinfo/cfe-commits" rel="noreferrer" target="_blank">http://lists.llvm.org/cgi-bin/<wbr>mailman/listinfo/cfe-commits</a><br>
</div></div></blockquote></div><br></div></div>