On behalf of @Kr1sso
Initial draft for EndpointSecurity based sandbox support on macOS Catalina and higher. This is here to test and prototype a new sandbox for the upcoming OS release as kernel extensions are deprecated and will soon be forbidden.
Important
This currently only runs on systems with SIP disabled, using super user privileges and signing the bxl binary with a valid developer certificate before executing!
```
codesign --entitlements Private/macOS/sandbox.entitlements Out/Bin/Debug/osx-x64/bxl -s XYZ
```
A valid signing key (replace XYZ) can be obtained by using a registered MS developer account connected with an AppleID.
Running
```
security find-identity -v -p codesigning
```
will list those if any are available on the system.
- don't define FEATURE_MICROSOFT_DIAGNOSTICS_TRACING constant for any builds
- remove all importFrom("Microsoft.Diagnostics.Tracing.EventSource.Redist").pkg
- remove all importFrom("Microsoft.Diagnostics.Tracing.TraceEvent").pkg
- remove all importFrom("Microsoft.Applications.Telemetry.Desktop").pkg
- add #if NET_FRAMEWORK_451 hacks to work around missing tracing features in .NET Framework 4.5.1
In this change we hook up the mechanism for running pip in VM.
Interaction with VM is via so-called VmCommandProxy, which is provided by CB team. Instead of calling the methods of VmCommandProxy, we launch VmCommandProxy executable with specific commands. In this way, we don't need to be bound by the .NET framework used by VmCommandProxy.
Currently, VM initialization requires username/password because it has to create a drive map from the VM back to the host. This will change soon. The changes in this PR will enable us to test running pip in VM in the CI/CBTest environment.
Before this PR, on every trie operation a leaf node corresponding to a given key is retrieved, creating any intermediate nodes along the way.
This is unnecessary for lookup operations. When the key does not exist in the trie, instead of traversing the trie until a leaf node is found and creating all intermediate nodes along the way, the lookup should fail as soon as an intermediate node is not found.
As a consequence of the previous implementation, if a process connects to the kext and then immediately disconnects, that alone causes the size of the `connectedClients_` dictionary to monotonically grow. This can become a problem because those nodes are released only when the kext is unloaded.
This change introduces a so-called sandboxed process executor tool that takes a sandboxed process info as an input and outputs a sandboxed process result containing details of file accesses.
The tool will be used to run process pips that require admin privilege, and the tool will run inside a VM. Traditionally, BuildXL in SandboxedProcessPipExecutor will create a detoured child process and communicate with the child process by means of pipes. For process pips that require admin, SandboxedProcessPipExecutor will (1) serialize sandboxed process info, (2) launch the sandboxed process executor tool, and (3) deserialize sandboxed process result produce in (2).
The sandboxed process executor tool will either replace QuickBuild's Tracker.exe or be called by QuickBuild's Tracker.exe. The cutting layer allows the two scenarios to be done, but the latter is the easiest.
This will be useful because being able to control bundle identifier and buildxl class prefix from a single place will allow us to easily build and simultaneously load multiple versions of our kext (e.g., one for LKG and one for tests)
* Restore all script exec permissions, update Readme.md with better macOS instructions
* Always run sandboxed when building internal
* Exec permission adjustment for all scripts
Sahil Gandhi
olkononenko
Semih Okur
Iman Narasamdya
Aleksandar Milicevic
dannyvv
Kristijan Šimić
Iman Narasamdya
Annie Fu
dannyvv
Kristijan Šimić
Microsoft Open Source