Closed Bug 1474451 Opened 7 years ago Closed 2 years ago

Deploy Enhanced Runtime on Mac without com.apple.security.cs.allow-unsigned-executable-memory

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Product:
Core
Component:
Security: Process Sandboxing
Version:
63 Branch
Platform:
Unspecified
macOS
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
126 Branch
Tracking Flags:
Tracking Status
firefox63 --- wontfix
firefox126 --- fixed

People

(Reporter: haik, Assigned: haik)

References

(Blocks 1 open bug)

Details

(Keywords: sec-want, Whiteboard: [adv-main126-])

Attachments

(1 file)

Bug 1474451 - Deploy Enhanced Runtime on Mac without the allow-unsigned-executable-memory entitlement r=spohl!,florian!,dthayer!
48 bytes, text/x-phabricator-request
Details | Review
This is the Mac equivalent to Bug 1381050 - Deploy Arbitrary Code Guard (ACG) on Windows. If we have OOP JIT and have enabled the Enhanced Runtime, we can use the stronger code signing protection of Enhanced Runtime.
Depends on: 1348341, 1470597
Priority: -- → P3
See Also: → 1381050
Keywords: sec-want
Depends on: mojave-sdk
Summary: Deploy Enhanced Runtime on Mac without com.apple.security.cs.allow-jit → Deploy Enhanced Runtime on Mac without com.apple.security.cs.allow-unsigned-executable-memory
Depends on: 1593072
No longer depends on: mojave-sdk

The fix for bug 1593072 will allow us to apply different hardened runtime settings to different processes. For example, to only allow com.apple.security.cs.allow-unsigned-executable-memory for the processes that run JS.

Severity: normal → S3
Depends on: 1474447

After bug 1474447 we'll no longer need com.apple.security.cs.allow-unsigned-executable-memory for the JS JITs, only for the PoisonIOInterposer.

The JITs will rely on com.apple.security.cs.allow-jit .

IIRC the IO interposer isn't used on release so we could at least try to improve the situation there.

(In reply to Jan de Mooij [:jandem] from comment #2)

After bug 1474447 we'll no longer need com.apple.security.cs.allow-unsigned-executable-memory for the JS JITs, only for the PoisonIOInterposer.

The JITs will rely on com.apple.security.cs.allow-jit .

IIRC the IO interposer isn't used on release so we could at least try to improve the situation there.

For now, we're using common entitlement files (in security/mac/hardenedruntime/v2/production) for content processes, but channel-specific entitlement files for the parent process executable (Firefox, Dev Edition, and Nightly).

If we need to keep com.apple.security.cs.allow-unsigned-executable-memory for the interposer, we can land a change to use channel-specific entitlement files for content processes and then remove com.apple.security.cs.allow-unsigned-executable-memory from Beta and Release. I can take care of that before or after bug 1474447 lands.

For testing purposes, we can use a project-repo to build Nightly with MOZ_DISABLE_POISON_IO_INTERPOSER=1 and com.apple.security.cs.allow-unsigned-executable-memory removed with official certs so we don't have to wait until Beta.

(In reply to Haik Aftandilian [:haik] from comment #3)

If we need to keep com.apple.security.cs.allow-unsigned-executable-memory for the interposer, we can land a change to use channel-specific entitlement files for content processes and then remove com.apple.security.cs.allow-unsigned-executable-memory from Beta and Release. I can take care of that before or after bug 1474447 lands.

Looking at callers of IOInterposer::Init() we have:

  1. AutoIOInterposer::Init. Checks EARLY_BETA_OR_EARLIER.
  2. ActivePS in the profiler code (two calls). Checks !defined(RELEASE_OR_BETA).

It's only used on Nightly and early Beta. Bug 1666310 extended (1) to early Beta. If it makes things easier we could consider reverting that, or only on macOS.

As Jan explained above in comment 4, the PoisonIOIterposer on Mac is enabled on EARLY_BETA_OR_EARLIER at present for x64 only. We have no arm64 implementation of mach_override_ptr which it depends on. The Mac PoisonIOIterposer depends on having the com.apple.security.cs.allow-unsigned-executable-memory entitlement so that it can modify library code using mach_override_ptr.

My plan with this is to drop com.apple.security.cs.allow-unsigned-executable-memory and temporarily disable the PoisonIOInterposer on macOS so that the entitlement change can have test time on Nightly. Once the entitlement change rides the trains, I will add back the entitlement for Nightly only and re-enable the PoisonIOInterposer for Nightly only.

Remove the allow-unsigned-executable-memory entitlement and temporarily disable PoisonIOInterposer on x64 macOS.

On Mac, the PoinsonIOInterposer is already limited to x64 and only enabled on Nightly and early Beta. Disable it for now to be re-enabled on Nightly-only after dynamic memory disablement ships and is also re-enabled on Nightly-only. Observability of IO on x64 macOS will be impacted until PoinsonIOInterposer is re-enabled.

Assignee: nobody → haftandilian
Status: NEW → ASSIGNED
Pushed by haftandilian@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a5a5503947d4 Deploy Enhanced Runtime on Mac without the allow-unsigned-executable-memory entitlement r=spohl,florian,dthayer

https://hg.mozilla.org/mozilla-central/rev/a5a5503947d4

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox126: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 126 Branch
Blocks: 1887689
See Also: → 1886051
Whiteboard: [adv-main126-]
No longer depends on: 1348341
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: