Open Bug 1858573 Opened 11 months ago Updated 2 months ago

Adopt macOS Launch Environment and Library Constraints

Categories

(Core :: Security: Process Sandboxing, enhancement, P3)

Product:
Core
Component:
Security: Process Sandboxing
Platform:
Desktop
macOS
Type:
enhancement

Tracking

()

People

(Reporter: haik, Unassigned)

References

(Depends on 1 open bug)

Details

Starting with macOS Sonoma, applications can embed constraints about their required launch environment and loadable libraries per-executable. The constraints are added at the codesigning step much like entitlements.

For any executable using com.apple.security.cs.disable-library-validation, this allows the developer to limit which libraries can be loaded. We can have a list of acceptable team IDs or as a minimum require the library be signed with an Apple Developer ID cert.

Some possible use cases:

  1. Limit the Media Plugin Helper process so that it can only load modules signed by the CDM providers.

  2. Only allow child processes to be launched by the browser process.

Docs:
https://developer.apple.com/documentation/security/defining_launch_environment_and_library_constraints

WWDC Video:
https://developer.apple.com/videos/play/wwdc2023/10266/

This will require us to upgrade our signing machines to have a version of codesign that supports specifying these constraints.

Severity: -- → S3
Priority: -- → P3
Severity: S3 → N/A
Depends on: 1861225

Gregory Szorc added initial support for this in rcodesign which may be an option for getting launch and library constraints without upgrading macOS. More testing needed.

You need to log in before you can comment on or make changes to this bug.