From 2820fab6188306aac861ad43ed65e794bd13d47a Mon Sep 17 00:00:00 2001
From: Daniel Darnell <daniel@thunderbird.net>
Date: Wed, 20 Sep 2023 06:12:41 +0000
Subject: [PATCH] Bug 1853891 - Port bug 1593072: Use different entitlement
 files for child processes and other resources. r=darktrojan

Differential Revision: https://phabricator.services.mozilla.com/D188680

--HG--
rename : build/macosx/hardenedruntime/developer.entitlements.xml => build/macosx/hardenedruntime/v1/developer/browser.xml
rename : build/macosx/hardenedruntime/production.entitlements.xml => build/macosx/hardenedruntime/v1/production/browser.xml
extra : amend_source : 93cf7e9e69132659ba67a944171c658fabe3e907
---
 .../developer/browser.xml}                    |  0
 .../production/browser.xml}                   |  0
 .../hardenedruntime/v2/developer/browser.xml  | 37 +++++++++
 .../v2/developer/media-plugin-helper.xml      | 18 +++++
 .../v2/developer/plugin-container.xml         | 25 ++++++
 .../hardenedruntime/v2/developer/utility.xml  | 20 +++++
 .../hardenedruntime/v2/production/browser.xml | 27 +++++++
 .../v2/production/media-plugin-helper.xml     | 12 +++
 .../v2/production/plugin-container.xml        | 15 ++++
 taskcluster/ci/config.yml                     | 79 +++++++++++++++++--
 tools/lint/license.yml                        | 11 ++-
 11 files changed, 236 insertions(+), 8 deletions(-)
 rename build/macosx/hardenedruntime/{developer.entitlements.xml => v1/developer/browser.xml} (100%)
 rename build/macosx/hardenedruntime/{production.entitlements.xml => v1/production/browser.xml} (100%)
 create mode 100644 build/macosx/hardenedruntime/v2/developer/browser.xml
 create mode 100644 build/macosx/hardenedruntime/v2/developer/media-plugin-helper.xml
 create mode 100644 build/macosx/hardenedruntime/v2/developer/plugin-container.xml
 create mode 100644 build/macosx/hardenedruntime/v2/developer/utility.xml
 create mode 100644 build/macosx/hardenedruntime/v2/production/browser.xml
 create mode 100644 build/macosx/hardenedruntime/v2/production/media-plugin-helper.xml
 create mode 100644 build/macosx/hardenedruntime/v2/production/plugin-container.xml

diff --git a/build/macosx/hardenedruntime/developer.entitlements.xml b/build/macosx/hardenedruntime/v1/developer/browser.xml
similarity index 100%
rename from build/macosx/hardenedruntime/developer.entitlements.xml
rename to build/macosx/hardenedruntime/v1/developer/browser.xml
diff --git a/build/macosx/hardenedruntime/production.entitlements.xml b/build/macosx/hardenedruntime/v1/production/browser.xml
similarity index 100%
rename from build/macosx/hardenedruntime/production.entitlements.xml
rename to build/macosx/hardenedruntime/v1/production/browser.xml
diff --git a/build/macosx/hardenedruntime/v2/developer/browser.xml b/build/macosx/hardenedruntime/v2/developer/browser.xml
new file mode 100644
index 0000000000..81f280065f
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/developer/browser.xml
@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+    Entitlements to apply to the main browser process executable during
+    codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Thunderbird needs to create executable pages without MAP_JIT on x64 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Thunderbird needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- For dev builds only, allow loading third party libraries as a
+         workaround enabling self-signed builds to launch. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables for gtests and debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Thunderbird needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Thunderbird needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Thunderbird needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+  </dict>
+</plist>
diff --git a/build/macosx/hardenedruntime/v2/developer/media-plugin-helper.xml b/build/macosx/hardenedruntime/v2/developer/media-plugin-helper.xml
new file mode 100644
index 0000000000..86d376d87c
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/developer/media-plugin-helper.xml
@@ -0,0 +1,18 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the media-plugin-helper.app bundle during
+     codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow loading third party CDM libraries -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables for debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+  </dict>
+</plist>
diff --git a/build/macosx/hardenedruntime/v2/developer/plugin-container.xml b/build/macosx/hardenedruntime/v2/developer/plugin-container.xml
new file mode 100644
index 0000000000..33c2c9f2af
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/developer/plugin-container.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Thunderbird needs to create executable pages without MAP_JIT on x64 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Thunderbird needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- Allow dyld environment variables for debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- For dev builds only, allow loading third party libraries as a
+         workaround enabling self-signed builds to launch. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>
diff --git a/build/macosx/hardenedruntime/v2/developer/utility.xml b/build/macosx/hardenedruntime/v2/developer/utility.xml
new file mode 100644
index 0000000000..3c4f73e80b
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/developer/utility.xml
@@ -0,0 +1,20 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to non-browser executables such as updater,
+     pingsender, minidump-analyzer, and crashreporter during codesigning of
+     developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow dyld environment variables for debugging -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- For dev builds only, allow loading third party libraries as a
+         workaround enabling self-signed builds to launch. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>
diff --git a/build/macosx/hardenedruntime/v2/production/browser.xml b/build/macosx/hardenedruntime/v2/production/browser.xml
new file mode 100644
index 0000000000..d149595309
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/production/browser.xml
@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the main browser process executable during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Thunderbird needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Thunderbird needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+
+    <!-- Thunderbird needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Thunderbird needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Thunderbird needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+  </dict>
+</plist>
diff --git a/build/macosx/hardenedruntime/v2/production/media-plugin-helper.xml b/build/macosx/hardenedruntime/v2/production/media-plugin-helper.xml
new file mode 100644
index 0000000000..8ea97fc742
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/production/media-plugin-helper.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the media-plugin-helper.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Allow loading third party CDM libraries -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+  </dict>
+</plist>
diff --git a/build/macosx/hardenedruntime/v2/production/plugin-container.xml b/build/macosx/hardenedruntime/v2/production/plugin-container.xml
new file mode 100644
index 0000000000..0d911c979c
--- /dev/null
+++ b/build/macosx/hardenedruntime/v2/production/plugin-container.xml
@@ -0,0 +1,15 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Thunderbird needs to create executable pages without MAP_JIT on x64 -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Thunderbird needs to create executable pages with MAP_JIT on aarch64 -->
+    <key>com.apple.security.cs.allow-jit</key><true/>
+  </dict>
+</plist>
diff --git a/taskcluster/ci/config.yml b/taskcluster/ci/config.yml
index b38342dc9d..9c5334d4e2 100644
--- a/taskcluster/ci/config.yml
+++ b/taskcluster/ci/config.yml
@@ -295,8 +295,8 @@ mac-notarization:
         by-platform:
             macosx64.*:
                 by-release-level:
-                    production: comm/build/macosx/hardenedruntime/production.entitlements.xml
-                    default: comm/build/macosx/hardenedruntime/developer.entitlements.xml
+                    production: comm/build/macosx/hardenedruntime/v1/production/browser.xml
+                    default: comm/build/macosx/hardenedruntime/v1/developer/browser.xml
             default: ''
     mac-requirements:
         by-platform:
@@ -310,18 +310,85 @@ mac-signing:
                 - deep: false
                   runtime: true
                   force: true
-                  entitlements: comm/build/macosx/hardenedruntime/production.entitlements.xml
+                  entitlements: comm/build/macosx/hardenedruntime/v2/production/plugin-container.xml
+                  globs:
+                      - "/Contents/MacOS/plugin-container.app"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  entitlements: comm/build/macosx/hardenedruntime/v2/production/media-plugin-helper.xml
+                  globs:
+                      - "/Contents/MacOS/media-plugin-helper.app"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  # These files are signed without entitlements
+                  globs:
+                      - "/Contents/MacOS/crashreporter.app"
+                      - "/Contents/MacOS/updater.app"
+                      - "/Contents/Library/LaunchServices/org.mozilla.updater"
+                      - "/Contents/Library/Spotlight/thunderbird.mdimporter"
+                      - "/Contents/MacOS/XUL"
+                      - "/Contents/MacOS/pingsender"
+                      - "/Contents/MacOS/minidump-analyzer"
+                      - "/Contents/MacOS/*.dylib"
+                      - "/Contents/MacOS/rnp-cli"
+                      - "/Contents/MacOS/rnpkeys"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  entitlements: comm/build/macosx/hardenedruntime/v2/production/browser.xml
                   globs:
                       - "/Contents/MacOS/thunderbird-bin"
-                      - "/"
+                      - "/"  # The .app
+
             default:
                 - deep: false
                   runtime: true
                   force: true
-                  entitlements: comm/build/macosx/hardenedruntime/developer.entitlements.xml
+                  entitlements: comm/build/macosx/hardenedruntime/v2/developer/plugin-container.xml
+                  globs:
+                      - "/Contents/MacOS/plugin-container.app"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  entitlements: comm/build/macosx/hardenedruntime/v2/developer/media-plugin-helper.xml
+                  globs:
+                      - "/Contents/MacOS/media-plugin-helper.app"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  entitlements: comm/build/macosx/hardenedruntime/v2/developer/utility.xml
+                  globs:
+                      - "/Contents/MacOS/crashreporter.app"
+                      - "/Contents/MacOS/updater.app"
+                      - "/Contents/Library/LaunchServices/org.mozilla.updater"
+                      - "/Contents/Library/Spotlight/thunderbird.mdimporter"
+                      - "/Contents/MacOS/pingsender"
+                      - "/Contents/MacOS/minidump-analyzer"
+                      - "/Contents/MacOS/rnp-cli"
+                      - "/Contents/MacOS/rnpkeys"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  # These files are signed without entitlements
+                  globs:
+                      - "/Contents/MacOS/XUL"
+                      - "/Contents/MacOS/*.dylib"
+
+                - deep: false
+                  runtime: true
+                  force: true
+                  entitlements: comm/build/macosx/hardenedruntime/v2/developer/browser.xml
                   globs:
                       - "/Contents/MacOS/thunderbird-bin"
-                      - "/"
+                      - "/"  # The .app
 
 expiration-policy:
     by-project:
diff --git a/tools/lint/license.yml b/tools/lint/license.yml
index 255d06595a..f83eedb073 100644
--- a/tools/lint/license.yml
+++ b/tools/lint/license.yml
@@ -5,8 +5,15 @@ license:
         - comm/
     exclude:
         # By design
-        - comm/build/macosx/hardenedruntime/developer.entitlements.xml
-        - comm/build/macosx/hardenedruntime/production.entitlements.xml
+        - comm/build/macosx/hardenedruntime/v1/developer/browser.xml
+        - comm/build/macosx/hardenedruntime/v1/production/browser.xml
+        - comm/build/macosx/hardenedruntime/v2/developer/browser.xml
+        - comm/build/macosx/hardenedruntime/v2/developer/media-plugin-helper.xml
+        - comm/build/macosx/hardenedruntime/v2/developer/plugin-container.xml
+        - comm/build/macosx/hardenedruntime/v2/developer/utility.xml
+        - comm/build/macosx/hardenedruntime/v2/production/browser.xml
+        - comm/build/macosx/hardenedruntime/v2/production/media-plugin-helper.xml
+        - comm/build/macosx/hardenedruntime/v2/production/plugin-container.xml
         # License not super clear, Firefox excludes its branding
         - comm/mail/branding/
         # Mostly empty file