[vlc-commits] macOS codesign: Add option to enable runtime hardening for macOS Mojave
David Fuhrmann
git at videolan.org
Tue Oct 23 23:34:53 CEST 2018
vlc | branch: master | David Fuhrmann <dfuhrmann at videolan.org> | Tue Oct 23 23:21:41 2018 +0200| [77548a174cea044f4a4a1909c3e9371df44d1e6d] | committer: David Fuhrmann
macOS codesign: Add option to enable runtime hardening for macOS Mojave
Runtime hardening restricts what the application can do, while not being
a full sandbox. For instance, only signed code is loaded by default, and
certain personal data is restricted in access.
The following flags / options are set for now:
- Allow execution of JIT code: For Lua Scripts
- Disable library validation: libaries are also loaded if they are signed
by the developer certificate of another developer, not from VideoLAN
(still, unsigned libs are not loaded anymore)
- Audio input access: For qtsound
- Camera access: For avcapture
- Apple Events: To control iTunes and Spotify
> http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=77548a174cea044f4a4a1909c3e9371df44d1e6d
---
extras/package/macosx/VLC.xcodeproj/project.pbxproj | 17 +++++++++++++++--
extras/package/macosx/codesign.sh | 13 +++++++++++--
extras/package/macosx/package.mak | 1 +
extras/package/macosx/vlc-hardening.entitlements | 16 ++++++++++++++++
4 files changed, 43 insertions(+), 4 deletions(-)
diff --git a/extras/package/macosx/VLC.xcodeproj/project.pbxproj b/extras/package/macosx/VLC.xcodeproj/project.pbxproj
index e12ff37933..7dcbd72816 100644
--- a/extras/package/macosx/VLC.xcodeproj/project.pbxproj
+++ b/extras/package/macosx/VLC.xcodeproj/project.pbxproj
@@ -160,6 +160,7 @@
1C67C8A71D58C0A40079E1C1 /* VLCAboutWindowController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = VLCAboutWindowController.m; sourceTree = "<group>"; };
1C7CB91A1D787E7600388902 /* VLCPopupPanelController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VLCPopupPanelController.h; sourceTree = "<group>"; };
1C7CB91B1D787E7600388902 /* VLCPopupPanelController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = VLCPopupPanelController.m; sourceTree = "<group>"; };
+ 1C864182217D318900D2CF7C /* vlc-hardening.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "vlc-hardening.entitlements"; sourceTree = "<group>"; };
1CAC3EE620CD1B3B00613DB2 /* VLCVideoOutputProvider.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = VLCVideoOutputProvider.m; sourceTree = "<group>"; };
1CAC3EE720CD1B3B00613DB2 /* VLCVideoOutputProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VLCVideoOutputProvider.h; sourceTree = "<group>"; };
1CAEBBFF1E1EC0A400A99E49 /* VLCFSPanelDraggableView.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VLCFSPanelDraggableView.h; sourceTree = "<group>"; };
@@ -578,6 +579,7 @@
089C166AFE841209C02AAC07 /* vlc */ = {
isa = PBXGroup;
children = (
+ 1C864182217D318900D2CF7C /* vlc-hardening.entitlements */,
CC6C01A40DDF3E7800C7D754 /* Minimal macOS interface */,
CCC8957F0D9A8A61005AE59C /* macOS-specific libvlc source files */,
08FB77AFFE84173DC02AAC07 /* macOS Interface Classes */,
@@ -1540,10 +1542,15 @@
TargetAttributes = {
1CCB5F2E1A62A6A5004C3E90 = {
CreatedOnToolsVersion = 6.1.1;
+ SystemCapabilities = {
+ com.apple.HardenedRuntime = {
+ enabled = 1;
+ };
+ };
};
};
};
- buildConfigurationList = C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "VLC" */;
+ buildConfigurationList = C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "vlc" */;
compatibilityVersion = "Xcode 6.3";
developmentRegion = English;
hasScannedForEncodings = 1;
@@ -1696,9 +1703,11 @@
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ENABLE_OBJC_ARC = YES;
+ CODE_SIGN_ENTITLEMENTS = "vlc-hardening.entitlements";
CODE_SIGN_IDENTITY = "";
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = NO;
+ ENABLE_HARDENED_RUNTIME = YES;
FRAMEWORK_SEARCH_PATHS = "${VLC_SRC_DIR}/contrib/${VLC_BUILD_TRIPLET}/Frameworks";
GCC_PREPROCESSOR_DEFINITIONS = (
"HAVE_CONFIG_H=1",
@@ -1731,10 +1740,12 @@
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ENABLE_OBJC_ARC = YES;
+ CODE_SIGN_ENTITLEMENTS = "vlc-hardening.entitlements";
CODE_SIGN_IDENTITY = "";
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_HARDENED_RUNTIME = YES;
FRAMEWORK_SEARCH_PATHS = "${VLC_SRC_DIR}/contrib/${VLC_BUILD_TRIPLET}/Frameworks";
GCC_PREPROCESSOR_DEFINITIONS = (
"HAVE_CONFIG_H=1",
@@ -1766,10 +1777,12 @@
buildSettings = {
ALWAYS_SEARCH_USER_PATHS = NO;
CLANG_ENABLE_OBJC_ARC = YES;
+ CODE_SIGN_ENTITLEMENTS = "vlc-hardening.entitlements";
CODE_SIGN_IDENTITY = "";
COMBINE_HIDPI_IMAGES = YES;
COPY_PHASE_STRIP = YES;
DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym";
+ ENABLE_HARDENED_RUNTIME = YES;
FRAMEWORK_SEARCH_PATHS = "${VLC_SRC_DIR}/contrib/${VLC_BUILD_TRIPLET}/Frameworks";
GCC_PREPROCESSOR_DEFINITIONS = (
"HAVE_CONFIG_H=1",
@@ -1955,7 +1968,7 @@
defaultConfigurationIsVisible = 0;
defaultConfigurationName = Default;
};
- C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "VLC" */ = {
+ C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "vlc" */ = {
isa = XCConfigurationList;
buildConfigurations = (
C2F2A6EB09588F1B00018C74 /* Development */,
diff --git a/extras/package/macosx/codesign.sh b/extras/package/macosx/codesign.sh
index 267314a05b..f6b5a3a8cc 100755
--- a/extras/package/macosx/codesign.sh
+++ b/extras/package/macosx/codesign.sh
@@ -37,11 +37,12 @@ OPTIONS:
-h Show this help
-i Identity to use
-g Developer ID certificate mode (validates with Gatekeeper)
+ -r Enable runtime hardening
EOF
}
-while getopts "hi:g" OPTION
+while getopts "hi:gr" OPTION
do
case $OPTION in
h)
@@ -54,6 +55,9 @@ do
g)
GK="yes"
;;
+ r)
+ RUNTIME="yes"
+ ;;
*)
usage
exit 1
@@ -79,12 +83,17 @@ if [ -z "$VLCCACHEGEN" ]; then
info "WARN: Cannot find vlc-cache-gen, cache will be corrupt after signing"
fi
+SCRIPTDIR=$(dirname "$0")
+if [ ! -z "$RUNTIME" ]; then
+RUNTIME_FLAGS="--options runtime --entitlements $SCRIPTDIR/vlc-hardening.entitlements"
+fi
+
# Call with $1 = file or folder
sign()
{
# info "Signing file $1 with identifier $IDENTIFIER"
- codesign --force --verbose -s "$IDENTITY" "$1"
+ codesign --force --verbose $RUNTIME_FLAGS -s "$IDENTITY" "$1"
}
diff --git a/extras/package/macosx/package.mak b/extras/package/macosx/package.mak
index a2b1bf2a66..8b42a228cd 100644
--- a/extras/package/macosx/package.mak
+++ b/extras/package/macosx/package.mak
@@ -94,6 +94,7 @@ package-macosx-release:
cp -Rp $(top_builddir)/VLC.app $(top_builddir)/vlc-$(VERSION)-release/
cp $(srcdir)/extras/package/macosx/dmg/* $(top_builddir)/vlc-$(VERSION)-release/
cp "$(srcdir)/extras/package/macosx/codesign.sh" $(top_builddir)/vlc-$(VERSION)-release/
+ cp "$(srcdir)/extras/package/macosx/vlc-hardening.entitlements" $(top_builddir)/vlc-$(VERSION)-release/
cp "$(pkglibexecdir)/vlc-cache-gen" $(top_builddir)/vlc-$(VERSION)-release/
install_name_tool -add_rpath "@executable_path/VLC.app/Contents/MacOS/lib" $(top_builddir)/vlc-$(VERSION)-release/vlc-cache-gen
zip -r -y -9 $(top_builddir)/vlc-$(VERSION)-release.zip $(top_builddir)/vlc-$(VERSION)-release
diff --git a/extras/package/macosx/vlc-hardening.entitlements b/extras/package/macosx/vlc-hardening.entitlements
new file mode 100644
index 0000000000..592327e2f8
--- /dev/null
+++ b/extras/package/macosx/vlc-hardening.entitlements
@@ -0,0 +1,16 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+ <key>com.apple.security.automation.apple-events</key>
+ <true/>
+ <key>com.apple.security.cs.allow-jit</key>
+ <true/>
+ <key>com.apple.security.cs.disable-library-validation</key>
+ <true/>
+ <key>com.apple.security.device.audio-input</key>
+ <true/>
+ <key>com.apple.security.device.camera</key>
+ <true/>
+</dict>
+</plist>
More information about the vlc-commits
mailing list