Bug 1543830 - Add Mac Hardened Runtime entitlement files to the tree r=spohl

Add entitlement files for Hardened Runtime configuration to be used by Release Engineering for official builds and try builds and developers for local builds. These entitlement files are input to the codesign command. Hardened Runtime and codesigning is not yet enabled for local builds or try builds so for now these files will only be used by Release Engineering. production.entitlements.xml is intended to be used for official channel builds that will be codesigned, notarized, and shipped to users. developer.entitlements.xml is intended to be used for developer and try builds that will be codesigned, but not notarized or shipped to users. The developer file enables debugging which is not compatible with notarization, but is otherwise the same as the production file. codesign.bash is a stop-gap script to allow developers who setup Apple Developer ID certificates to codesign Nightly themselves and enabled Hardened Runtime. Differential Revision: https://phabricator.services.mozilla.com/D27396 --HG-- extra : moz-landing-system : lando
2024-11-24 21:31:04 +00:00 · 2019-04-18 15:56:00 +00:00 · 2019-04-18 15:56:00 +00:00 · 73b7f5c089
commit 73b7f5c089
parent b278ac4263
3 changed files with 227 additions and 0 deletions
--- a/security/mac/hardenedruntime/codesign.bash
+++ b/security/mac/hardenedruntime/codesign.bash
@ -0,0 +1,135 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# Runs codesign commands to codesign a Firefox .app bundle and enable macOS
+# Hardened Runtime. Intended to be manually run by developers working on macOS
+# 10.14 who want to enable Hardened Runtime for manual testing. This is
+# provided as a stop-gap until automated build tooling is available that signs
+# binaries with a certificate generated during builds (bug 1522409). This
+# script requires macOS 10.14 because Hardened Runtime is only available for
+# applications running on 10.14 despite support for the codesign "-o runtime"
+# option being available in 10.13.6 and newer.
+#
+# The script requires an identity string (-i option) from an Apple Developer
+# ID certificate. This can be found in the macOS KeyChain after configuring an
+# Apple Developer ID certificate.
+#
+# Example usage on macOS 10.14:
+#
+#   $ ./mach build
+#   $ ./mach build package
+#   $ open </PATH/TO/DMG/FILE.dmg>
+#   <Drag Nightly.app to ~>
+#   $ ./security/mac/hardenedruntime/codesign.bash \
+#         -a ~/Nightly.app \
+#         -i <MY-IDENTITY-STRING> \
+#         -e security/mac/hardenedruntime/developer.entitlements.xml
+#   $ open ~/Nightly.app
+#
+
+usage ()
+{
+  echo  "Usage: $0 "
+  echo  "    -a <PATH-TO-BROWSER.app>"
+  echo  "    -i <IDENTITY>"
+  echo  "    -e <ENTITLEMENTS-FILE>"
+  echo  "    [-o <OUTPUT-ZIP-FILE>]"
+  exit -1
+}
+
+# Make sure we are running on macOS with the sw_vers command available.
+SWVERS=/usr/bin/sw_vers
+if [ ! -x ${SWVERS} ]; then
+    echo "ERROR: macOS 10.14 or later is required"
+    exit -1
+fi
+
+# Require macOS 10.14 or newer.
+OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`;
+if [ ${OSVERSION} \< 14 ]; then
+    echo "ERROR: macOS 10.14 or later is required"
+    exit -1
+fi
+
+while getopts "a:i:e:o:" opt; do
+  case ${opt} in
+    a ) BUNDLE=$OPTARG ;;
+    i ) IDENTITY=$OPTARG ;;
+    e ) ENTITLEMENTS_FILE=$OPTARG ;;
+    o ) OUTPUT_ZIP_FILE=$OPTARG ;;
+    \? ) usage; exit -1 ;;
+  esac
+done
+
+if [ -z "${BUNDLE}" ] ||
+   [ -z "${IDENTITY}" ] ||
+   [ -z "${ENTITLEMENTS_FILE}" ]; then
+    usage
+    exit -1
+fi
+
+if [ ! -d "${BUNDLE}" ]; then
+  echo "Invalid bundle. Bundle should be a .app directory"
+  usage
+  exit -1
+fi
+
+if [ ! -e "${ENTITLEMENTS_FILE}" ]; then
+  echo "Invalid entitlements file"
+  usage
+  exit -1
+fi
+
+# Zip file output flag is optional
+if [ ! -z "${OUTPUT_ZIP_FILE}" ] &&
+   [ -e "${OUTPUT_ZIP_FILE}" ]; then
+  echo "Output zip file ${OUTPUT_ZIP_FILE} exists. Please delete it first."
+  usage
+  exit -1
+fi
+
+echo "-------------------------------------------------------------------------"
+echo "bundle:                        $BUNDLE"
+echo "identity:                      $IDENTITY"
+echo "browser entitlements file:     $ENTITLEMENTS_FILE"
+echo "output zip file (optional):    $OUTPUT_ZIP_FILE"
+echo "-------------------------------------------------------------------------"
+
+# Clear extended attributes which cause codesign to fail
+xattr -cr "${BUNDLE}"
+
+# Sign these binaries first. Signing of some binaries has an ordering
+# requirement where other binaries must be signed first.
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+--entitlements ${ENTITLEMENTS_FILE} \
+"${BUNDLE}/Contents/MacOS/XUL" \
+"${BUNDLE}/Contents/MacOS/pingsender" \
+"${BUNDLE}"/Contents/MacOS/*.dylib \
+"${BUNDLE}"/Contents/MacOS/crashreporter.app/Contents/MacOS/minidump-analyzer \
+"${BUNDLE}"/Contents/MacOS/crashreporter.app/Contents/MacOS/crashreporter \
+"${BUNDLE}"/Contents/MacOS/firefox-bin \
+"${BUNDLE}"/Contents/MacOS/plugin-container.app/Contents/MacOS/plugin-container \
+"${BUNDLE}"/Contents/MacOS/updater.app/Contents/MacOS/org.mozilla.updater \
+"${BUNDLE}"/Contents/MacOS/firefox
+
+# Sign all files in the .app
+find "${BUNDLE}" -type f -exec \
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+--entitlements ${ENTITLEMENTS_FILE} {} \;
+
+# Sign the bundle
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+--entitlements ${ENTITLEMENTS_FILE} "${BUNDLE}"
+
+# Validate
+codesign -vvv --deep --strict "${BUNDLE}"
+
+# Zip up the bundle
+if [ ! -z "${OUTPUT_ZIP_FILE}" ]; then
+  echo "Zipping bundle to ${OUTPUT_ZIP_FILE}"
+  ditto -c -k "${BUNDLE}" "${OUTPUT_ZIP_FILE}"
+  echo "Done"
+fi
--- a/security/mac/hardenedruntime/developer.entitlements.xml
+++ b/security/mac/hardenedruntime/developer.entitlements.xml
@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and all executable files
+     contained within it during codesigning of developer builds. These
+     entitlements configure hardened runtime and allow debugging of the
+     application. The com.apple.security.get-task-allow entitlement must be
+     set to true to allow debuggers to attach to application processes but
+     this prohibits notarization with the notary service. Aside from allowing
+     debugging, these entitlements enable hardened runtime protections to the
+     extent possible for Firefox. Supporting binaries within the bundle could
+     use more restrictive entitlements, but they are launched by the main
+     Firefox process and therefore inherit the parent process entitlements.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page-in time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables (such as @executable_path) to load libaries from
+         within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+  </dict>
+</plist>
--- a/security/mac/hardenedruntime/production.entitlements.xml
+++ b/security/mac/hardenedruntime/production.entitlements.xml
@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and all executable files
+     contained within it during codesigning of production channel builds that
+     will be notarized. These entitlements enable hardened runtime protections
+     to the extent possible for Firefox. Some supporting binaries within the
+     bundle could use more restrictive entitlements, but they are launched by
+     the main Firefox process and therefore inherit the parent process
+     entitlements.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page in-time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables (such as @executable_path) to load libaries from
+         within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Don't allow debugging of the executable. Debuggers will be prevented
+         from attaching to running executables. Notarization does not permit
+         access to get-task-allow (as documented by Apple) so this must be
+         disabled on notarized builds. -->
+    <key>com.apple.security.get-task-allow</key><false/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+  </dict>
+</plist>