From 298f1ffaed34dfcb3120146fa884b71dc713ef47 Mon Sep 17 00:00:00 2001
From: Haik Aftandilian <haftandilian@mozilla.com>
Date: Mon, 18 Sep 2023 15:00:10 +0000
Subject: [PATCH] Bug 1593072 - Patch 3 - Add parent process, plugin-container,
 media-plugin-container, and utility entitlement files as v2 versions r=spohl

Add separate entitlement lists for the parent process, plugin-container, and media-plugin-helper executables. Add a utility entitlement list to use for non-browser executables in developer builds to support debugging. For production codesigning versions, only allow loading of unsigned libraries by the media-plugin-helper executable. Limit most entitlements to the parent process executable.

A subsequent fix to taskcluster code will enable the new entitlements.

Other executables in the bundle will have no entitlements.

Differential Revision: https://phabricator.services.mozilla.com/D187245
---
 .../hardenedruntime/v2/developer/browser.xml  | 37 +++++++++++++++++++
 .../v2/developer/media-plugin-helper.xml      | 18 +++++++++
 .../v2/developer/plugin-container.xml         | 25 +++++++++++++
 .../hardenedruntime/v2/developer/utility.xml  | 20 ++++++++++
 .../hardenedruntime/v2/production/browser.xml | 27 ++++++++++++++
 .../v2/production/media-plugin-helper.xml     | 12 ++++++
 .../v2/production/plugin-container.xml        | 15 ++++++++
 tools/lint/license.yml                        |  7 ++++
 8 files changed, 161 insertions(+)
 create mode 100644 security/mac/hardenedruntime/v2/developer/browser.xml
 create mode 100644 security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml
 create mode 100644 security/mac/hardenedruntime/v2/developer/plugin-container.xml
 create mode 100644 security/mac/hardenedruntime/v2/developer/utility.xml
 create mode 100644 security/mac/hardenedruntime/v2/production/browser.xml
 create mode 100644 security/mac/hardenedruntime/v2/production/media-plugin-helper.xml
 create mode 100644 security/mac/hardenedruntime/v2/production/plugin-container.xml

diff --git a/security/mac/hardenedruntime/v2/developer/browser.xml b/security/mac/hardenedruntime/v2/developer/browser.xml
new file mode 100644
index 000000000000..33f520143e30
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/developer/browser.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+    Entitlements to apply to the main browser process executable during
+    codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox needs to create executable pages without MAP_JIT on x64 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- For dev builds only, allow loading third party libraries as a
+         workaround enabling self-signed builds to launch. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables for gtests and debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml b/security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml
new file mode 100644
index 000000000000..86d376d87cd6
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the media-plugin-helper.app bundle during
+     codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow loading third party CDM libraries -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables for debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/v2/developer/plugin-container.xml b/security/mac/hardenedruntime/v2/developer/plugin-container.xml
new file mode 100644
index 000000000000..7bed5fc2b8d8
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/developer/plugin-container.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox needs to create executable pages without MAP_JIT on x64 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- Allow dyld environment variables for debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- For dev builds only, allow loading third party libraries as a
+         workaround enabling self-signed builds to launch. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/v2/developer/utility.xml b/security/mac/hardenedruntime/v2/developer/utility.xml
new file mode 100644
index 000000000000..3c4f73e80bbc
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/developer/utility.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to non-browser executables such as updater,
+     pingsender, minidump-analyzer, and crashreporter during codesigning of
+     developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow dyld environment variables for debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- For dev builds only, allow loading third party libraries as a
+         workaround enabling self-signed builds to launch. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/v2/production/browser.xml b/security/mac/hardenedruntime/v2/production/browser.xml
new file mode 100644
index 000000000000..287757dff785
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/production/browser.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the main browser process executable during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml b/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml
new file mode 100644
index 000000000000..8ea97fc742e5
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/production/media-plugin-helper.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the media-plugin-helper.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow loading third party CDM libraries -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/v2/production/plugin-container.xml b/security/mac/hardenedruntime/v2/production/plugin-container.xml
new file mode 100644
index 000000000000..cfc79f1d21e3
--- /dev/null
+++ b/security/mac/hardenedruntime/v2/production/plugin-container.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox needs to create executable pages without MAP_JIT on x64 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Firefox needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+  </dict>
+</plist>
diff --git a/tools/lint/license.yml b/tools/lint/license.yml
index fb4bec7fbf34..9079023c334d 100644
--- a/tools/lint/license.yml
+++ b/tools/lint/license.yml
@@ -50,6 +50,13 @@ license:
         - python/mozrelease/mozrelease
         - security/mac/hardenedruntime/v1/production/browser.xml
         - security/mac/hardenedruntime/v1/developer/browser.xml
+        - security/mac/hardenedruntime/v2/developer/browser.xml
+        - security/mac/hardenedruntime/v2/developer/media-plugin-helper.xml
+        - security/mac/hardenedruntime/v2/developer/plugin-container.xml
+        - security/mac/hardenedruntime/v2/developer/utility.xml
+        - security/mac/hardenedruntime/v2/production/browser.xml
+        - security/mac/hardenedruntime/v2/production/media-plugin-helper.xml
+        - security/mac/hardenedruntime/v2/production/plugin-container.xml
         - testing/marionette/harness/marionette_harness/www/
         # Browsertime can't handle this script when there's a comment at the top
         - testing/raptor/browsertime/browsertime_benchmark.js