Bug 1586617 - create macOS entitlements.xml specific to Thunderbird requirements. r=darktrojan a=jorgk
authorRob Lemley <rob@thunderbird.net>
Fri, 11 Oct 2019 00:00:17 -0400
changeset 36691 83f927f560113cda6a04363f2c850af04f6d75bc
parent 36690 62fcda841f60fab2ba5e83854058b25a7cd813aa
child 36692 f4cb19a772165d31af18d595a7a7fbf8e2ed9aae
push id394
push userclokep@gmail.com
push dateMon, 21 Oct 2019 20:22:01 +0000
reviewersdarktrojan, jorgk
bugs1586617
Bug 1586617 - create macOS entitlements.xml specific to Thunderbird requirements. r=darktrojan a=jorgk Thunderbird has been using Firefox's entitlements files since the Apple's hardened runtime became a necessity with notarization. However, Thunderbird cannot access macOS's addressbook for contacts when running macOS Mojave or Catalina, necessitating this change.
build/macosx/hardenedruntime/developer.entitlements.xml
build/macosx/hardenedruntime/production.entitlements.xml
taskcluster/ci/config.yml
new file mode 100644
--- /dev/null
+++ b/build/macosx/hardenedruntime/developer.entitlements.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and all executable files
+     contained within it during codesigning of developer builds. These
+     entitlements configure hardened runtime and allow debugging of the
+     application. The com.apple.security.get-task-allow entitlement must be
+     set to true to allow debuggers to attach to application processes but
+     this prohibits notarization with the notary service. Aside from allowing
+     debugging, these entitlements enable hardened runtime protections to the
+     extent possible for Thunderbird. Supporting binaries within the bundle could
+     use more restrictive entitlements, but they are launched by the main
+     Thunderbird process and therefore inherit the parent process entitlements.
+     This file is based on the developer.entitlements.xml file used for Firefox.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Thunderbird does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Thunderbird needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page-in time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Possibly needed by some legacy extensions. -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Thunderbird uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Thunderbird needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Thunderbird needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Thunderbird needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- Thunderbird uses the macOS addressbook for contacts storage. -->
+    <key>com.apple.security.personal-information.addressbook</key><true/>
+
+    <!-- Allow Thunderbird to send Apple events to other applications. Needed
+         for native messaging webextension helper applications launched by
+         Thunderbird which rely on Apple Events to signal other processes. -->
+    <key>com.apple.security.automation.apple-events</key><true/>
+  </dict>
+</plist>
new file mode 100644
--- /dev/null
+++ b/build/macosx/hardenedruntime/production.entitlements.xml
@@ -0,0 +1,54 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and all executable files
+     contained within it during codesigning of production channel builds that
+     will be notarized. These entitlements enable hardened runtime protections
+     to the extent possible for Thunderbird. Some supporting binaries within the
+     bundle could use more restrictive entitlements, but they are launched by
+     the main Thunderbird process and therefore inherit the parent process
+     entitlements.
+     This file is based on the production.entitlements.xml file used for Firefox.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Thunderbird does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Thunderbird needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page in-time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Possibly needed by some legacy extensions.  -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Thunderbird uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Don't allow debugging of the executable. Debuggers will be prevented
+         from attaching to running executables. Notarization does not permit
+         access to get-task-allow (as documented by Apple) so this must be
+         disabled on notarized builds. -->
+    <key>com.apple.security.get-task-allow</key><false/>
+
+    <!-- Thunderbird needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Thunderbird needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Thunderbird needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- Thunderbird uses the macOS addressbook for contacts storage. -->
+    <key>com.apple.security.personal-information.addressbook</key><true/>
+
+    <!-- Allow Thunderbird to send Apple events to other applications. Needed
+         for native messaging webextension helper applications launched by
+         Thunderbird which rely on Apple Events to signal other processes. -->
+    <key>com.apple.security.automation.apple-events</key><true/>
+  </dict>
+</plist>
--- a/taskcluster/ci/config.yml
+++ b/taskcluster/ci/config.yml
@@ -166,11 +166,11 @@ mac-notarization:
             nightly.*: mac_notarize
             beta.*: mac_notarize
             release.*: mac_notarize
             default: mac_sign_and_pkg
     mac-entitlements:
         by-platform:
             macosx64.*:
                 by-release-level:
-                    production: security/mac/hardenedruntime/production.entitlements.xml
-                    default: security/mac/hardenedruntime/developer.entitlements.xml
+                    production: comm/build/macosx/hardenedruntime/production.entitlements.xml
+                    default: comm/build/macosx/hardenedruntime/developer.entitlements.xml
             default: ''