Adding upstream version 86.0.1.upstream/86.0.1upstream

Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>

7 files changed, 432 insertions, 0 deletions

diff --git a/security/mac/hardenedruntime/browser.developer.entitlements.xml b/security/mac/hardenedruntime/browser.developer.entitlements.xml
new file mode 100644
index 0000000000..5c2ad04b4e
--- /dev/null
+++ b/security/mac/hardenedruntime/browser.developer.entitlements.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and main browser process
+     executable during codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page-in time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- Allow Firefox to send Apple events to other applications. Needed
+         for native messaging webextension helper applications launched by
+         Firefox which rely on Apple Events to signal other processes. -->
+    <key>com.apple.security.automation.apple-events</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/browser.production.entitlements.xml b/security/mac/hardenedruntime/browser.production.entitlements.xml
new file mode 100644
index 0000000000..fc0d9d5f0d
--- /dev/null
+++ b/security/mac/hardenedruntime/browser.production.entitlements.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and main browser process
+     executable during codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page in-time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Don't allow debugging of the executable. Debuggers will be prevented
+         from attaching to running executables. Notarization does not permit
+         access to get-task-allow (as documented by Apple) so this must be
+         disabled on notarized builds. -->
+    <key>com.apple.security.get-task-allow</key><false/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- Allow Firefox to send Apple events to other applications. Needed
+         for native messaging webextension helper applications launched by
+         Firefox which rely on Apple Events to signal other processes. -->
+    <key>com.apple.security.automation.apple-events</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/codesign.bash b/security/mac/hardenedruntime/codesign.bash
new file mode 100755
index 0000000000..068f404270
--- /dev/null
+++ b/security/mac/hardenedruntime/codesign.bash
@@ -0,0 +1,167 @@
+#!/bin/bash
+#
+# This Source Code Form is subject to the terms of the Mozilla Public
+# License, v. 2.0. If a copy of the MPL was not distributed with this
+# file, You can obtain one at https://mozilla.org/MPL/2.0/.
+#
+# Runs codesign commands to codesign a Firefox .app bundle and enable macOS
+# Hardened Runtime. Intended to be manually run by developers working on macOS
+# 10.14+ who want to enable Hardened Runtime for manual testing. This is
+# provided as a stop-gap until automated build tooling is available that signs
+# binaries with a certificate generated during builds (bug 1522409). This
+# script requires macOS 10.14 because Hardened Runtime is only available for
+# applications running on 10.14 despite support for the codesign "-o runtime"
+# option being available in 10.13.6 and newer.
+#
+# The script requires an identity string (-i option) from an Apple Developer
+# ID certificate. This can be found in the macOS KeyChain after configuring an
+# Apple Developer ID certificate.
+#
+# Example usage on macOS 10.14:
+#
+#   $ ./mach build
+#   $ ./mach build package
+#   $ open </PATH/TO/DMG/FILE.dmg>
+#   <Drag Nightly.app to ~>
+#   $ ./security/mac/hardenedruntime/codesign.bash \
+#         -a ~/Nightly.app \
+#         -i <MY-IDENTITY-STRING> \
+#         -b security/mac/hardenedruntime/browser.developer.entitlements.xml
+#         -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
+#   $ open ~/Nightly.app
+#
+
+usage ()
+{
+  echo  "Usage: $0 "
+  echo  "    -a <PATH-TO-BROWSER.app>"
+  echo  "    -i <IDENTITY>"
+  echo  "    -b <ENTITLEMENTS-FILE>"
+  echo  "    -p <CHILD-ENTITLEMENTS-FILE>"
+  echo  "    [-o <OUTPUT-DMG-FILE>]"
+  exit -1
+}
+
+# Make sure we are running on macOS with the sw_vers command available.
+SWVERS=/usr/bin/sw_vers
+if [ ! -x ${SWVERS} ]; then
+    echo "ERROR: macOS 10.14 or later is required"
+    exit -1
+fi
+
+# Require macOS 10.14 or newer.
+OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`;
+if [ ${OSVERSION} \< 14 ]; then
+    echo "ERROR: macOS 10.14 or later is required"
+    exit -1
+fi
+
+while getopts "a:i:b:o:p:" opt; do
+  case ${opt} in
+    a ) BUNDLE=$OPTARG ;;
+    i ) IDENTITY=$OPTARG ;;
+    b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;;
+    p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;;
+    o ) OUTPUT_DMG_FILE=$OPTARG ;;
+    \? ) usage; exit -1 ;;
+  esac
+done
+
+if [ -z "${BUNDLE}" ] ||
+   [ -z "${IDENTITY}" ] ||
+   [ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] ||
+   [ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then
+    usage
+    exit -1
+fi
+
+if [ ! -d "${BUNDLE}" ]; then
+  echo "Invalid bundle. Bundle should be a .app directory"
+  usage
+  exit -1
+fi
+
+if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then
+  echo "Invalid entitlements file"
+  usage
+  exit -1
+fi
+
+if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then
+  echo "Invalid entitlements file"
+  usage
+  exit -1
+fi
+
+# DMG file output flag is optional
+if [ ! -z "${OUTPUT_DMG_FILE}" ] &&
+   [ -e "${OUTPUT_DMG_FILE}" ]; then
+  echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first."
+  usage
+  exit -1
+fi
+
+echo "-------------------------------------------------------------------------"
+echo "bundle:                              $BUNDLE"
+echo "identity:                            $IDENTITY"
+echo "browser entitlements file:           $BROWSER_ENTITLEMENTS_FILE"
+echo "plugin-container entitlements file:  $PLUGINCONTAINER_ENTITLEMENTS_FILE"
+echo "output dmg file (optional):          $OUTPUT_DMG_FILE"
+echo "-------------------------------------------------------------------------"
+
+# Clear extended attributes which cause codesign to fail
+xattr -cr "${BUNDLE}"
+
+# Sign these binaries first. Signing of some binaries has an ordering
+# requirement where other binaries must be signed first.
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+"${BUNDLE}/Contents/MacOS/XUL" \
+"${BUNDLE}/Contents/MacOS/pingsender" \
+"${BUNDLE}/Contents/MacOS/minidump-analyzer" \
+"${BUNDLE}"/Contents/MacOS/*.dylib
+
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+"${BUNDLE}"/Contents/MacOS/crashreporter.app
+
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+"${BUNDLE}"/Contents/MacOS/updater.app
+
+# Sign firefox main exectuable
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+--entitlements ${BROWSER_ENTITLEMENTS_FILE} \
+"${BUNDLE}"/Contents/MacOS/firefox-bin \
+"${BUNDLE}"/Contents/MacOS/firefox
+
+# Sign gmp-clearkey files
+find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \
+codesign --force -o runtime --verbose --sign "$IDENTITY" {} \;
+
+# Sign the main bundle
+codesign --force -o runtime --verbose --sign "$IDENTITY" \
+--entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}"
+
+# Sign the plugin-container bundle with deep
+codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \
+--entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \
+"${BUNDLE}"/Contents/MacOS/plugin-container.app
+
+# Validate
+codesign -vvv --deep --strict "${BUNDLE}"
+
+# Create a DMG
+if [ ! -z "${OUTPUT_DMG_FILE}" ]; then
+  DISK_IMAGE_DIR=`mktemp -d`
+  TEMP_FILE=`mktemp`
+  TEMP_DMG=${TEMP_FILE}.dmg
+  NAME=`basename "${BUNDLE}"`
+
+  ditto "${BUNDLE}" "${DISK_IMAGE_DIR}/${NAME}"
+  hdiutil create -size 400m -fs HFS+ \
+    -volname Firefox -srcfolder "${DISK_IMAGE_DIR}" "${TEMP_DMG}"
+  hdiutil convert -format UDZO \
+    -o "${OUTPUT_DMG_FILE}" "${TEMP_DMG}"
+
+  rm ${TEMP_FILE}
+  rm ${TEMP_DMG}
+  rm -rf "${DISK_IMAGE_DIR}"
+fi
diff --git a/security/mac/hardenedruntime/developer.entitlements.xml b/security/mac/hardenedruntime/developer.entitlements.xml
new file mode 100644
index 0000000000..83ccacedc8
--- /dev/null
+++ b/security/mac/hardenedruntime/developer.entitlements.xml
@@ -0,0 +1,46 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and all executable files
+     contained within it during codesigning of developer builds. These
+     entitlements configure hardened runtime and allow debugging of the
+     application. The com.apple.security.get-task-allow entitlement must be
+     set to true to allow debuggers to attach to application processes but
+     this prohibits notarization with the notary service. Aside from allowing
+     debugging, these entitlements enable hardened runtime protections to the
+     extent possible for Firefox.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page-in time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+    
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/plugin-container.developer.entitlements.xml b/security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
new file mode 100644
index 0000000000..7b5a55c354
--- /dev/null
+++ b/security/mac/hardenedruntime/plugin-container.developer.entitlements.xml
@@ -0,0 +1,42 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of developer builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page-in time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Allow debuggers to attach to running executables -->
+    <key>com.apple.security.get-task-allow</key><true/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- Allow Firefox to send Apple events to other applications. Needed
+         for native messaging webextension helper applications launched by
+         Firefox which rely on Apple Events to signal other processes. -->
+    <key>com.apple.security.automation.apple-events</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/plugin-container.production.entitlements.xml b/security/mac/hardenedruntime/plugin-container.production.entitlements.xml
new file mode 100644
index 0000000000..3d63da28b3
--- /dev/null
+++ b/security/mac/hardenedruntime/plugin-container.production.entitlements.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the plugin-container.app bundle during
+     codesigning of production channel builds.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page in-time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Don't allow debugging of the executable. Debuggers will be prevented
+         from attaching to running executables. Notarization does not permit
+         access to get-task-allow (as documented by Apple) so this must be
+         disabled on notarized builds. -->
+    <key>com.apple.security.get-task-allow</key><false/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+
+    <!-- Allow Firefox to send Apple events to other applications. Needed
+         for native messaging webextension helper applications launched by
+         Firefox which rely on Apple Events to signal other processes. -->
+    <key>com.apple.security.automation.apple-events</key><true/>
+  </dict>
+</plist>
diff --git a/security/mac/hardenedruntime/production.entitlements.xml b/security/mac/hardenedruntime/production.entitlements.xml
new file mode 100644
index 0000000000..4d7996d276
--- /dev/null
+++ b/security/mac/hardenedruntime/production.entitlements.xml
@@ -0,0 +1,45 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!--
+     Entitlements to apply to the .app bundle and all executable files
+     contained within it during codesigning of production channel builds that
+     will be notarized. These entitlements enable hardened runtime protections
+     to the extent possible for Firefox.
+-->
+<plist version="1.0">
+  <dict>
+    <!-- Firefox does not use MAP_JIT for executable mappings -->
+    <key>com.apple.security.cs.allow-jit</key><false/>
+
+    <!-- Firefox needs to create executable pages (without MAP_JIT) -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+
+    <!-- Code paged in from disk should match the signature at page in-time -->
+    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>
+
+    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->
+    <key>com.apple.security.cs.disable-library-validation</key><true/>
+
+    <!-- Allow dyld environment variables. Needed because Firefox uses
+         dyld variables to load libaries from within the .app bundle. -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>
+
+    <!-- Don't allow debugging of the executable. Debuggers will be prevented
+         from attaching to running executables. Notarization does not permit
+         access to get-task-allow (as documented by Apple) so this must be
+         disabled on notarized builds. -->
+    <key>com.apple.security.get-task-allow</key><false/>
+
+    <!-- Firefox needs to access the microphone on sites the user allows -->
+    <key>com.apple.security.device.audio-input</key><true/>
+
+    <!-- Firefox needs to access the camera on sites the user allows -->
+    <key>com.apple.security.device.camera</key><true/>
+
+    <!-- Firefox needs to access the location on sites the user allows -->
+    <key>com.apple.security.personal-information.location</key><true/>
+    
+    <!-- For SmartCardServices(7) -->
+    <key>com.apple.security.smartcard</key><true/>
+  </dict>
+</plist>