8244951: Missing entitlements for hardened runtime

Reviewed-by: ihse
2020-05-14 06:58:59 -07:00 · 2020-05-14 06:58:59 -07:00 · c992521995
commit c992521995
parent 0cc7f3585f
6 changed files with 72 additions and 3 deletions
--- a/make/CompileJavaModules.gmk
+++ b/make/CompileJavaModules.gmk
@ -384,7 +384,7 @@ endif

 jdk.incubator.jpackage_COPY += .gif .png .txt .spec .script .prerm .preinst \
    .postrm .postinst .list .sh .desktop .copyright .control .plist .template \
-    .icns .scpt .entitlements .wxs .wxl .wxi .ico .bmp .tiff
+    .icns .scpt .wxs .wxl .wxi .ico .bmp .tiff

 jdk.incubator.jpackage_CLEAN += .properties

--- a/make/common/NativeCompilation.gmk
+++ b/make/common/NativeCompilation.gmk
@ -266,6 +266,19 @@ else
  endif
 endif

+################################################################################
+# GetEntitlementsFile
+# Find entitlements file for executable when signing on macosx. If no
+# specialized file is found, returns the default file.
+# $1 Executable to find entitlements file for.
+ENTITLEMENTS_DIR := $(TOPDIR)/make/data/macosxsigning
+DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default.plist
+
+GetEntitlementsFile = \
+    $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1)).plist, \
+      $(if $(wildcard $f), $f, $(DEFAULT_ENTITLEMENTS_FILE)) \
+    )
+
 ################################################################################
 # Create the recipe needed to compile a single native source file.
 #
@ -1183,7 +1196,7 @@ define SetupNativeCompilationBody
                # silently fail otherwise.
                ifneq ($(CODESIGN), )
 		  $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \
-		  --entitlements $(TOPDIR)/make/data/macosxsigning/entitlements.plist $$@
+		      --entitlements $$(call GetEntitlementsFile, $$@) $$@
                endif
  endif

--- a/make/data/macosxsigning/entitlements.plist
+++ b/make/data/macosxsigning/entitlements.plist
--- a/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/entitlements.plist
+++ b/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/entitlements.plist
@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
    <key>com.apple.security.cs.allow-jit</key>
@ -12,5 +12,7 @@
    <true/>
    <key>com.apple.security.cs.debugger</key>
    <true/>
+    <key>com.apple.security.device.audio-input</key>
+    <true/>
 </dict>
 </plist>
--- a/make/data/macosxsigning/jspawnhelper.plist
+++ b/make/data/macosxsigning/jspawnhelper.plist
@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <true/>
+  </dict>
+</plist>
--- a/make/modules/jdk.incubator.jpackage/Gensrc.gmk
+++ b/make/modules/jdk.incubator.jpackage/Gensrc.gmk
@ -0,0 +1,46 @@
+#
+# Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved.
+# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+#
+# This code is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License version 2 only, as
+# published by the Free Software Foundation.  Oracle designates this
+# particular file as subject to the "Classpath" exception as provided
+# by Oracle in the LICENSE file that accompanied this code.
+#
+# This code is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+# version 2 for more details (a copy is included in the LICENSE file that
+# accompanied this code).
+#
+# You should have received a copy of the GNU General Public License version
+# 2 along with this work; if not, write to the Free Software Foundation,
+# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+#
+# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+# or visit www.oracle.com if you need additional information or have any
+# questions.
+#
+
+include GensrcCommonJdk.gmk
+
+################################################################################
+# Copy the entitlements file for the java launcher to jpackage as a resource.
+
+ifeq ($(call isTargetOs, macosx), true)
+  ENTITLEMENTS_SRC_FILE := $(TOPDIR)/make/data/macosxsigning/java.plist
+  ENTITLEMENTS_TARGET_FILE := \
+      $(SUPPORT_OUTPUTDIR)/gensrc/$(MODULE)/jdk/incubator/jpackage/internal/resources/entitlements.plist
+
+  $(ENTITLEMENTS_TARGET_FILE): $(ENTITLEMENTS_SRC_FILE)
+	$(call install-file)
+
+  TARGETS := $(ENTITLEMENTS_TARGET_FILE)
+endif
+
+################################################################################
+
+all: $(TARGETS)
+
+.PHONY: all