Block potential of code injection via macOS' dynamic linker for improved security

[pingu-the-penguin]

The user can enable a column in Activity Monitor to check for a flag called "Restricted" which is a flag that prevents programs from injecting code via macOS's dynamic linker. Ideally, this flag should be set for UBOL to prevent code injection, but it is not. It should not cause any issues as all the app does is prompt you to press on a button but it is better to enable it.

[gorhill]

uBOL is HTML/CSS/JS. Are other content blockers such as AdGuard, Ghostery, or ABP setting this flag?

[pingu-the-penguin]

Hello, I think there may have been a misunderstanding. This flag can only be set for the UBOL application that is installed in the Applications folder and as far as I am aware is separate from the extension that is toggle-able in Safari. I am not in a position to comment whether other adblockers set this flag or not but it is easy to test.

1. Install their app
2. Launch the icon from the Applications folder.
3. Open Activity Monitor go to View -> Columns -> Restricted and tick it.
4. Search the name of the app.
5. Observe if the app itself is restricted or not.

The networking process for the extension already has this flag enabled, likely as a result of Apple enforcing it for extensions. This feature request is just for extending that to the app and it should not cause issues or be much trouble as users rarely interact with that app. Hope this makes more sense.

EDIT: With that said, none of us are in a position to know how the future of the macOS platform would be and whether setting this flag for UBOL would cause a notable security improvement in the future or not. Right now I believe it wouldn't matter that much and would just be a nice to have as a form of defense-in-depth. As long as it doesn't cause issues it's better to enable it.