[vlc-commits] macOS codesign: Add option to enable runtime hardening for macOS Mojave
David Fuhrmann
git at videolan.org
Sun Dec 16 20:22:20 CET 2018
vlc/vlc-3.0 | branch: master | David Fuhrmann <dfuhrmann at videolan.org> | Tue Oct 23 23:21:41 2018 +0200| [cdd2cbfb339fd63bd79a0df641a5ab1d87a77577] | committer: David Fuhrmann
macOS codesign: Add option to enable runtime hardening for macOS Mojave
Runtime hardening restricts what the application can do, while not being
a full sandbox. For instance, only signed code is loaded by default, and
certain personal data is restricted in access.
The following flags / options are set for now:
- Allow execution of JIT code: For Lua Scripts
- Disable library validation: libaries are also loaded if they are signed
by the developer certificate of another developer, not from VideoLAN
(still, unsigned libs are not loaded anymore)
- Audio input access: For qtsound
- Camera access: For avcapture
- Apple Events: To control iTunes and Spotify
(cherry picked from commit 77548a174cea044f4a4a1909c3e9371df44d1e6d)
Signed-off-by: David Fuhrmann <dfuhrmann at videolan.org>
> http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=cdd2cbfb339fd63bd79a0df641a5ab1d87a77577
---
extras/package/macosx/codesign.sh | 13 +++++++++++--
extras/package/macosx/package.mak | 1 +
extras/package/macosx/vlc-hardening.entitlements | 16 ++++++++++++++++
3 files changed, 28 insertions(+), 2 deletions(-)
diff --git a/extras/package/macosx/codesign.sh b/extras/package/macosx/codesign.sh
index 412c80ceb8..36e7213157 100755
--- a/extras/package/macosx/codesign.sh
+++ b/extras/package/macosx/codesign.sh
@@ -37,11 +37,12 @@ OPTIONS:
-h Show this help
-i Identity to use
-g Developer ID certificate mode (validates with Gatekeeper)
+ -r Enable runtime hardening
EOF
}
-while getopts "hi:g" OPTION
+while getopts "hi:gr" OPTION
do
case $OPTION in
h)
@@ -54,6 +55,9 @@ do
g)
GK="yes"
;;
+ r)
+ RUNTIME="yes"
+ ;;
*)
usage
exit 1
@@ -79,12 +83,17 @@ if [ -z "$VLCCACHEGEN" ]; then
info "WARN: Cannot find vlc-cache-gen, cache will be corrupt after signing"
fi
+SCRIPTDIR=$(dirname "$0")
+if [ ! -z "$RUNTIME" ]; then
+RUNTIME_FLAGS="--options runtime --entitlements $SCRIPTDIR/vlc-hardening.entitlements"
+fi
+
# Call with $1 = file or folder
sign()
{
# info "Signing file $1 with identifier $IDENTIFIER"
- codesign --force --verbose -s "$IDENTITY" "$1"
+ codesign --force --verbose $RUNTIME_FLAGS -s "$IDENTITY" "$1"
}
diff --git a/extras/package/macosx/package.mak b/extras/package/macosx/package.mak
index 35f0567beb..186637dcd2 100644
--- a/extras/package/macosx/package.mak
+++ b/extras/package/macosx/package.mak
@@ -102,6 +102,7 @@ package-macosx-release:
cp $(srcdir)/extras/package/macosx/dmg/* $(top_builddir)/vlc-$(VERSION)-release/
cp "$(srcdir)/extras/package/macosx/codesign.sh" $(top_builddir)/vlc-$(VERSION)-release/
cp "$(prefix)/lib/vlc/vlc-cache-gen" $(top_builddir)/vlc-$(VERSION)-release/
+ cp "$(srcdir)/extras/package/macosx/vlc-hardening.entitlements" $(top_builddir)/vlc-$(VERSION)-release/
install_name_tool -add_rpath "@executable_path/VLC.app/Contents/MacOS/lib" $(top_builddir)/vlc-$(VERSION)-release/vlc-cache-gen
zip -r -y -9 $(top_builddir)/vlc-$(VERSION)-release.zip $(top_builddir)/vlc-$(VERSION)-release
rm -rf "$(top_builddir)/vlc-$(VERSION)-release"
diff --git a/extras/package/macosx/vlc-hardening.entitlements b/extras/package/macosx/vlc-hardening.entitlements
new file mode 100644
index 0000000000..592327e2f8
--- /dev/null
+++ b/extras/package/macosx/vlc-hardening.entitlements
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.automation.apple-events</key>
+ <true/>
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+ <key>com.apple.security.device.audio-input</key>
+ <true/>
+ <key>com.apple.security.device.camera</key>
+ <true/>
+</dict>
+</plist>
More information about the vlc-commits
mailing list