Closed Bug 1593072 Opened 5 years ago Closed 6 months ago

[macOS] [automation] Use different entitlement files for child processes and other resources

Categories

(Firefox Build System :: General, enhancement)

Unspecified
macOS
enhancement

Tracking

(firefox119 fixed)

RESOLVED FIXED
119 Branch
Tracking Status
firefox119 --- fixed

People

(Reporter: haik, Assigned: haik)

References

(Blocks 1 open bug, Regressed 1 open bug)

Details

(Keywords: sec-want, Whiteboard: hardening, [adv-main119-])

Attachments

(4 files)

We can get some hardening benefits by using different entitlements for different processes. However, first we need to be able to specify which entitlement files should be used for which files in the .app and add support for this in our codesigning automation.

Depends on: 1593071
Blocks: 1562756
Summary: [macOS] Use different entitlement files for child processes and other resources → [macOS] [automation] Use different entitlement files for child processes and other resources

Bug 1593071 landed the following files to sign the parent process and plugin-container process executables. Once the fix for this bug has landed and we've switched to using the new files for codesigning, we can remove the older production.entitlements.xml and developer.entitlements.xml.

browser.developer.entitlements.xml
browser.production.entitlements.xml
plugin-container.developer.entitlements.xml
plugin-container.production.entitlements.xml

And codesign.bash was updated to apply those to the bundle, but also to only sign the executables using entitlements.

Depends on: 1606746
Depends on: 1606778
Depends on: 1617047
Depends on: 1623878
Blocks: 1474451
Blocks: 1606778
No longer depends on: 1606778
No longer blocks: 1562756
Depends on: 1779816

Clarification of what is needed here: control of which entitlements each file in the .app bundle are signed with using a file in the tree.

When we codesign the files that end up being in the macOS .app bundle, one of the inputs to the codesign invocation is an entitlement file which contains a list of macOS entitlements. For executables, the entitlements turn on or off security hardening features. At present, our codesigning consumes one entitlement file (there are production and developer versions) from mozilla-central and uses the entitlements in the file to codesign all files. That is, all files are codesigned with the same entitlements.

With this fix, we would like to be able to specify an entitlement file for each file in the .app so that each file can be signed with different entitlements. In practice, we are likely to have one empty entitlement file for resource files, one for the parent process executable, and one for each child process executable (of which there is one for now).

I use this script for testing different entitlement configurations. The script consumes a json configuration file that is a mapping between files in a directory and an entitlement file. The script runs the macOS codesign command and applies the specified entitlements and options for each file. We don't need to use this, but the request is for something equivalent so that a file in mozilla-central would control which entitlements are used for each file.

Once we have this capability, we can enable stronger entitlements for Firefox.

Blocks: 1617047
No longer depends on: 1617047
Severity: normal → S3
Keywords: sec-want
Whiteboard: hardening
Blocks: 1593389

Removes the macOS entitlements zip file that was added for bug 1606746.

The file was intended to be consumed by codesigning task workers, but was never used.

Our new entitlement configuration and signing will not use the file.

Move existing entitlement files into a v1 directory and removed unused versions.

Depends on D187243

Add separate entitlement lists for the parent process, plugin-container, and media-plugin-helper executables. For production codesigning versions, only allow loading of unsigned libraries by the media-plugin-helper executable.

Depends on D187244

Assignee: nobody → haftandilian
Attachment #9351138 - Attachment description: WIP: Bug 1593072 - Patch 1 - Remove unused macOS entitlements artifact zip → Bug 1593072 - Patch 1 - Remove unused macOS entitlements artifact zip r?hneiva
Status: NEW → ASSIGNED
Attachment #9351139 - Attachment description: WIP: Bug 1593072 - Patch 2 - Move existing entitlement files into a v1 directory → Bug 1593072 - Patch 2 - Move existing entitlement files into a v1 directory r?spohl
Attachment #9351140 - Attachment description: WIP: Bug 1593072 - Patch 3 - Add parent process, plugin-container, and media-plugin-container entitlement files as v2 versions → Bug 1593072 - Patch 3 - Add parent process, plugin-container, and media-plugin-container entitlement files as v2 versions r?spohl
Attachment #9351140 - Attachment description: Bug 1593072 - Patch 3 - Add parent process, plugin-container, and media-plugin-container entitlement files as v2 versions r?spohl → Bug 1593072 - Patch 3 - Add parent process, plugin-container, media-plugin-container, and utility entitlement files as v2 versions r?spohl
Pushed by hneiva@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/cdd2cc950059
Patch 1 - Remove unused macOS entitlements artifact zip r=hneiva
https://hg.mozilla.org/integration/autoland/rev/4b9fab3a84ee
Patch 2 - Move existing entitlement files into a v1 directory r=spohl
https://hg.mozilla.org/integration/autoland/rev/988502c89209
Patch 3 - Add parent process, plugin-container, media-plugin-container, and utility entitlement files as v2 versions r=spohl
https://hg.mozilla.org/integration/autoland/rev/9bba69291ffa
Patch 4 - Add hardened signing config and enable it r=bhearsum,haik,taskgraph-reviewers,releng-reviewers
See Also: → 1853891
Duplicate of this bug: 1606778
Duplicate of this bug: 1617047
Regressions: 1853913
Regressions: 1856613
See Also: → 1856972
Regressions: 1856972
Whiteboard: hardening → hardening, [adv-main119-]
Regressions: 1860468
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: