build/macosx/hardenedruntime/developer.entitlements.xml
author Rob Lemley <rob@thunderbird.net>
Thu, 02 Sep 2021 06:23:00 -0400
changeset 33596 59bfc8893d6c51f280c99c7b3adbfa65993732a4
parent 28177 c94a552514bb19d9295a395195be22c93e8ca911
child 36018 e86e4b46473a1a0601a14e946ac46b08cc52a5a3
permissions -rw-r--r--
No bug - temporarily disable daily build. rs=rjl DONTBUILD

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!--
     Entitlements to apply to the .app bundle and all executable files
     contained within it during codesigning of developer builds. These
     entitlements configure hardened runtime and allow debugging of the
     application. The com.apple.security.get-task-allow entitlement must be
     set to true to allow debuggers to attach to application processes but
     this prohibits notarization with the notary service. Aside from allowing
     debugging, these entitlements enable hardened runtime protections to the
     extent possible for Thunderbird. Supporting binaries within the bundle could
     use more restrictive entitlements, but they are launched by the main
     Thunderbird process and therefore inherit the parent process entitlements.
     This file is based on the developer.entitlements.xml file used for Firefox.
-->
<plist version="1.0">
  <dict>
    <!-- Thunderbird does not use MAP_JIT for executable mappings -->
    <key>com.apple.security.cs.allow-jit</key><false/>

    <!-- Thunderbird needs to create executable pages (without MAP_JIT) -->
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>

    <!-- Code paged in from disk should match the signature at page-in time -->
    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>

    <!-- Allow loading third party libraries. Possibly needed by some legacy extensions. -->
    <key>com.apple.security.cs.disable-library-validation</key><true/>

    <!-- Allow dyld environment variables. Needed because Thunderbird uses
         dyld variables to load libraries from within the .app bundle. -->
    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>

    <!-- Allow debuggers to attach to running executables -->
    <key>com.apple.security.get-task-allow</key><true/>

    <!-- Thunderbird needs to access the microphone on sites the user allows -->
    <key>com.apple.security.device.audio-input</key><true/>

    <!-- Thunderbird needs to access the camera on sites the user allows -->
    <key>com.apple.security.device.camera</key><true/>

    <!-- Thunderbird needs to access the location on sites the user allows -->
    <key>com.apple.security.personal-information.location</key><true/>

    <!-- Thunderbird uses the macOS addressbook for contacts storage. -->
    <key>com.apple.security.personal-information.addressbook</key><true/>

    <!-- Allow Thunderbird to send Apple events to other applications. Needed
         for native messaging webextension helper applications launched by
         Thunderbird which rely on Apple Events to signal other processes. -->
    <key>com.apple.security.automation.apple-events</key><true/>

    <!-- For SmartCardServices(7) -->
    <key>com.apple.security.smartcard</key><true/>
  </dict>
</plist>