From 88730990d7f94fab6ee5602ea26cf54564283e95 Mon Sep 17 00:00:00 2001
From: Erik Joelsson <erikj@openjdk.org>
Date: Fri, 15 May 2020 06:14:17 -0700
Subject: [PATCH] 8244951: Missing entitlements for hardened runtime

Reviewed-by: tbell
---
 make/common/NativeCompilation.gmk              | 15 ++++++++++++++-
 .../{entitlements.plist => default.plist}      |  0
 make/data/macosxsigning/java.plist             | 18 ++++++++++++++++++
 make/data/macosxsigning/jspawnhelper.plist     |  8 ++++++++
 4 files changed, 40 insertions(+), 1 deletion(-)
 rename make/data/macosxsigning/{entitlements.plist => default.plist} (100%)
 create mode 100644 make/data/macosxsigning/java.plist
 create mode 100644 make/data/macosxsigning/jspawnhelper.plist

diff --git a/make/common/NativeCompilation.gmk b/make/common/NativeCompilation.gmk
index 4bce970dd3..1b30ff9e4f 100644
--- a/make/common/NativeCompilation.gmk
+++ b/make/common/NativeCompilation.gmk
@@ -266,6 +266,19 @@ else
   endif
 endif
 
+################################################################################
+# GetEntitlementsFile
+# Find entitlements file for executable when signing on macosx. If no
+# specialized file is found, returns the default file.
+# $1 Executable to find entitlements file for.
+ENTITLEMENTS_DIR := $(TOPDIR)/make/data/macosxsigning
+DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default.plist
+
+GetEntitlementsFile = \
+    $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1)).plist, \
+      $(if $(wildcard $f), $f, $(DEFAULT_ENTITLEMENTS_FILE)) \
+    )
+
 ################################################################################
 # Create the recipe needed to compile a single native source file.
 #
@@ -1183,7 +1196,7 @@ define SetupNativeCompilationBody
                 # silently fail otherwise.
                 ifneq ($(CODESIGN), )
 		  $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
-		  --entitlements $(TOPDIR)/make/data/macosxsigning/entitlements.plist $$@
+		      --entitlements $$(call GetEntitlementsFile, $$@) $$@
                 endif
   endif
 
diff --git a/make/data/macosxsigning/entitlements.plist b/make/data/macosxsigning/default.plist
similarity index 100%
rename from make/data/macosxsigning/entitlements.plist
rename to make/data/macosxsigning/default.plist
diff --git a/make/data/macosxsigning/java.plist b/make/data/macosxsigning/java.plist
new file mode 100644
index 0000000000..b6f2a13ffa
--- /dev/null
+++ b/make/data/macosxsigning/java.plist
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.cs.allow-jit</key>
+    <true/>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <true/>
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <true/>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+    <key>com.apple.security.cs.debugger</key>
+    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
+</dict>
+</plist>
diff --git a/make/data/macosxsigning/jspawnhelper.plist b/make/data/macosxsigning/jspawnhelper.plist
new file mode 100644
index 0000000000..484f4e0152
--- /dev/null
+++ b/make/data/macosxsigning/jspawnhelper.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+  </dict>
+</plist>