diff options
Diffstat (limited to 'security/mac')
7 files changed, 432 insertions, 0 deletions
diff --git a/security/mac/hardenedruntime/browser.developer.entitlements.xml b/security/mac/hardenedruntime/browser.developer.entitlements.xml new file mode 100644 index 0000000000..5c2ad04b4e --- /dev/null +++ b/security/mac/hardenedruntime/browser.developer.entitlements.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the .app bundle and main browser process + executable during codesigning of developer builds. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page-in time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Allow debuggers to attach to running executables --> + <key>com.apple.security.get-task-allow</key><true/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- Allow Firefox to send Apple events to other applications. Needed + for native messaging webextension helper applications launched by + Firefox which rely on Apple Events to signal other processes. --> + <key>com.apple.security.automation.apple-events</key><true/> + </dict> +</plist> diff --git a/security/mac/hardenedruntime/browser.production.entitlements.xml b/security/mac/hardenedruntime/browser.production.entitlements.xml new file mode 100644 index 0000000000..fc0d9d5f0d --- /dev/null +++ b/security/mac/hardenedruntime/browser.production.entitlements.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the .app bundle and main browser process + executable during codesigning of production channel builds. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page in-time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Don't allow debugging of the executable. Debuggers will be prevented + from attaching to running executables. Notarization does not permit + access to get-task-allow (as documented by Apple) so this must be + disabled on notarized builds. --> + <key>com.apple.security.get-task-allow</key><false/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- Allow Firefox to send Apple events to other applications. Needed + for native messaging webextension helper applications launched by + Firefox which rely on Apple Events to signal other processes. --> + <key>com.apple.security.automation.apple-events</key><true/> + </dict> +</plist> diff --git a/security/mac/hardenedruntime/codesign.bash b/security/mac/hardenedruntime/codesign.bash new file mode 100755 index 0000000000..068f404270 --- /dev/null +++ b/security/mac/hardenedruntime/codesign.bash @@ -0,0 +1,167 @@ +#!/bin/bash +# +# This Source Code Form is subject to the terms of the Mozilla Public +# License, v. 2.0. If a copy of the MPL was not distributed with this +# file, You can obtain one at https://mozilla.org/MPL/2.0/. +# +# Runs codesign commands to codesign a Firefox .app bundle and enable macOS +# Hardened Runtime. Intended to be manually run by developers working on macOS +# 10.14+ who want to enable Hardened Runtime for manual testing. This is +# provided as a stop-gap until automated build tooling is available that signs +# binaries with a certificate generated during builds (bug 1522409). This +# script requires macOS 10.14 because Hardened Runtime is only available for +# applications running on 10.14 despite support for the codesign "-o runtime" +# option being available in 10.13.6 and newer. +# +# The script requires an identity string (-i option) from an Apple Developer +# ID certificate. This can be found in the macOS KeyChain after configuring an +# Apple Developer ID certificate. +# +# Example usage on macOS 10.14: +# +# $ ./mach build +# $ ./mach build package +# $ open </PATH/TO/DMG/FILE.dmg> +# <Drag Nightly.app to ~> +# $ ./security/mac/hardenedruntime/codesign.bash \ +# -a ~/Nightly.app \ +# -i <MY-IDENTITY-STRING> \ +# -b security/mac/hardenedruntime/browser.developer.entitlements.xml +# -p security/mac/hardenedruntime/plugin-container.developer.entitlements.xml +# $ open ~/Nightly.app +# + +usage () +{ + echo "Usage: $0 " + echo " -a <PATH-TO-BROWSER.app>" + echo " -i <IDENTITY>" + echo " -b <ENTITLEMENTS-FILE>" + echo " -p <CHILD-ENTITLEMENTS-FILE>" + echo " [-o <OUTPUT-DMG-FILE>]" + exit -1 +} + +# Make sure we are running on macOS with the sw_vers command available. +SWVERS=/usr/bin/sw_vers +if [ ! -x ${SWVERS} ]; then + echo "ERROR: macOS 10.14 or later is required" + exit -1 +fi + +# Require macOS 10.14 or newer. +OSVERSION=`${SWVERS} -productVersion|sed -En 's/[0-9]+\.([0-9]+)\.[0-9]+/\1/p'`; +if [ ${OSVERSION} \< 14 ]; then + echo "ERROR: macOS 10.14 or later is required" + exit -1 +fi + +while getopts "a:i:b:o:p:" opt; do + case ${opt} in + a ) BUNDLE=$OPTARG ;; + i ) IDENTITY=$OPTARG ;; + b ) BROWSER_ENTITLEMENTS_FILE=$OPTARG ;; + p ) PLUGINCONTAINER_ENTITLEMENTS_FILE=$OPTARG ;; + o ) OUTPUT_DMG_FILE=$OPTARG ;; + \? ) usage; exit -1 ;; + esac +done + +if [ -z "${BUNDLE}" ] || + [ -z "${IDENTITY}" ] || + [ -z "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ] || + [ -z "${BROWSER_ENTITLEMENTS_FILE}" ]; then + usage + exit -1 +fi + +if [ ! -d "${BUNDLE}" ]; then + echo "Invalid bundle. Bundle should be a .app directory" + usage + exit -1 +fi + +if [ ! -e "${PLUGINCONTAINER_ENTITLEMENTS_FILE}" ]; then + echo "Invalid entitlements file" + usage + exit -1 +fi + +if [ ! -e "${BROWSER_ENTITLEMENTS_FILE}" ]; then + echo "Invalid entitlements file" + usage + exit -1 +fi + +# DMG file output flag is optional +if [ ! -z "${OUTPUT_DMG_FILE}" ] && + [ -e "${OUTPUT_DMG_FILE}" ]; then + echo "Output dmg file ${OUTPUT_DMG_FILE} exists. Please delete it first." + usage + exit -1 +fi + +echo "-------------------------------------------------------------------------" +echo "bundle: $BUNDLE" +echo "identity: $IDENTITY" +echo "browser entitlements file: $BROWSER_ENTITLEMENTS_FILE" +echo "plugin-container entitlements file: $PLUGINCONTAINER_ENTITLEMENTS_FILE" +echo "output dmg file (optional): $OUTPUT_DMG_FILE" +echo "-------------------------------------------------------------------------" + +# Clear extended attributes which cause codesign to fail +xattr -cr "${BUNDLE}" + +# Sign these binaries first. Signing of some binaries has an ordering +# requirement where other binaries must be signed first. +codesign --force -o runtime --verbose --sign "$IDENTITY" \ +"${BUNDLE}/Contents/MacOS/XUL" \ +"${BUNDLE}/Contents/MacOS/pingsender" \ +"${BUNDLE}/Contents/MacOS/minidump-analyzer" \ +"${BUNDLE}"/Contents/MacOS/*.dylib + +codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ +"${BUNDLE}"/Contents/MacOS/crashreporter.app + +codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ +"${BUNDLE}"/Contents/MacOS/updater.app + +# Sign firefox main exectuable +codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ +--entitlements ${BROWSER_ENTITLEMENTS_FILE} \ +"${BUNDLE}"/Contents/MacOS/firefox-bin \ +"${BUNDLE}"/Contents/MacOS/firefox + +# Sign gmp-clearkey files +find "${BUNDLE}"/Contents/Resources/gmp-clearkey -type f -exec \ +codesign --force -o runtime --verbose --sign "$IDENTITY" {} \; + +# Sign the main bundle +codesign --force -o runtime --verbose --sign "$IDENTITY" \ +--entitlements ${BROWSER_ENTITLEMENTS_FILE} "${BUNDLE}" + +# Sign the plugin-container bundle with deep +codesign --force -o runtime --verbose --sign "$IDENTITY" --deep \ +--entitlements ${PLUGINCONTAINER_ENTITLEMENTS_FILE} \ +"${BUNDLE}"/Contents/MacOS/plugin-container.app + +# Validate +codesign -vvv --deep --strict "${BUNDLE}" + +# Create a DMG +if [ ! -z "${OUTPUT_DMG_FILE}" ]; then + DISK_IMAGE_DIR=`mktemp -d` + TEMP_FILE=`mktemp` + TEMP_DMG=${TEMP_FILE}.dmg + NAME=`basename "${BUNDLE}"` + + ditto "${BUNDLE}" "${DISK_IMAGE_DIR}/${NAME}" + hdiutil create -size 400m -fs HFS+ \ + -volname Firefox -srcfolder "${DISK_IMAGE_DIR}" "${TEMP_DMG}" + hdiutil convert -format UDZO \ + -o "${OUTPUT_DMG_FILE}" "${TEMP_DMG}" + + rm ${TEMP_FILE} + rm ${TEMP_DMG} + rm -rf "${DISK_IMAGE_DIR}" +fi diff --git a/security/mac/hardenedruntime/developer.entitlements.xml b/security/mac/hardenedruntime/developer.entitlements.xml new file mode 100644 index 0000000000..83ccacedc8 --- /dev/null +++ b/security/mac/hardenedruntime/developer.entitlements.xml @@ -0,0 +1,46 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the .app bundle and all executable files + contained within it during codesigning of developer builds. These + entitlements configure hardened runtime and allow debugging of the + application. The com.apple.security.get-task-allow entitlement must be + set to true to allow debuggers to attach to application processes but + this prohibits notarization with the notary service. Aside from allowing + debugging, these entitlements enable hardened runtime protections to the + extent possible for Firefox. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page-in time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Allow debuggers to attach to running executables --> + <key>com.apple.security.get-task-allow</key><true/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- For SmartCardServices(7) --> + <key>com.apple.security.smartcard</key><true/> + </dict> +</plist> diff --git a/security/mac/hardenedruntime/plugin-container.developer.entitlements.xml b/security/mac/hardenedruntime/plugin-container.developer.entitlements.xml new file mode 100644 index 0000000000..7b5a55c354 --- /dev/null +++ b/security/mac/hardenedruntime/plugin-container.developer.entitlements.xml @@ -0,0 +1,42 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the plugin-container.app bundle during + codesigning of developer builds. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page-in time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Allow debuggers to attach to running executables --> + <key>com.apple.security.get-task-allow</key><true/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- Allow Firefox to send Apple events to other applications. Needed + for native messaging webextension helper applications launched by + Firefox which rely on Apple Events to signal other processes. --> + <key>com.apple.security.automation.apple-events</key><true/> + </dict> +</plist> diff --git a/security/mac/hardenedruntime/plugin-container.production.entitlements.xml b/security/mac/hardenedruntime/plugin-container.production.entitlements.xml new file mode 100644 index 0000000000..3d63da28b3 --- /dev/null +++ b/security/mac/hardenedruntime/plugin-container.production.entitlements.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the plugin-container.app bundle during + codesigning of production channel builds. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page in-time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Don't allow debugging of the executable. Debuggers will be prevented + from attaching to running executables. Notarization does not permit + access to get-task-allow (as documented by Apple) so this must be + disabled on notarized builds. --> + <key>com.apple.security.get-task-allow</key><false/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- Allow Firefox to send Apple events to other applications. Needed + for native messaging webextension helper applications launched by + Firefox which rely on Apple Events to signal other processes. --> + <key>com.apple.security.automation.apple-events</key><true/> + </dict> +</plist> diff --git a/security/mac/hardenedruntime/production.entitlements.xml b/security/mac/hardenedruntime/production.entitlements.xml new file mode 100644 index 0000000000..4d7996d276 --- /dev/null +++ b/security/mac/hardenedruntime/production.entitlements.xml @@ -0,0 +1,45 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<!-- + Entitlements to apply to the .app bundle and all executable files + contained within it during codesigning of production channel builds that + will be notarized. These entitlements enable hardened runtime protections + to the extent possible for Firefox. +--> +<plist version="1.0"> + <dict> + <!-- Firefox does not use MAP_JIT for executable mappings --> + <key>com.apple.security.cs.allow-jit</key><false/> + + <!-- Firefox needs to create executable pages (without MAP_JIT) --> + <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/> + + <!-- Code paged in from disk should match the signature at page in-time --> + <key>com.apple.security.cs.disable-executable-page-protection</key><false/> + + <!-- Allow loading third party libraries. Needed for Flash and CDMs --> + <key>com.apple.security.cs.disable-library-validation</key><true/> + + <!-- Allow dyld environment variables. Needed because Firefox uses + dyld variables to load libaries from within the .app bundle. --> + <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/> + + <!-- Don't allow debugging of the executable. Debuggers will be prevented + from attaching to running executables. Notarization does not permit + access to get-task-allow (as documented by Apple) so this must be + disabled on notarized builds. --> + <key>com.apple.security.get-task-allow</key><false/> + + <!-- Firefox needs to access the microphone on sites the user allows --> + <key>com.apple.security.device.audio-input</key><true/> + + <!-- Firefox needs to access the camera on sites the user allows --> + <key>com.apple.security.device.camera</key><true/> + + <!-- Firefox needs to access the location on sites the user allows --> + <key>com.apple.security.personal-information.location</key><true/> + + <!-- For SmartCardServices(7) --> + <key>com.apple.security.smartcard</key><true/> + </dict> +</plist> |