From c9925219955d3cb841c919c2da56d3122c83f4c1 Mon Sep 17 00:00:00 2001 From: Erik Joelsson Date: Thu, 14 May 2020 06:58:59 -0700 Subject: [PATCH] 8244951: Missing entitlements for hardened runtime Reviewed-by: ihse --- make/CompileJavaModules.gmk | 2 +- make/common/NativeCompilation.gmk | 15 +++++- .../{entitlements.plist => default.plist} | 0 .../data/macosxsigning/java.plist | 4 +- make/data/macosxsigning/jspawnhelper.plist | 8 ++++ .../modules/jdk.incubator.jpackage/Gensrc.gmk | 46 +++++++++++++++++++ 6 files changed, 72 insertions(+), 3 deletions(-) rename make/data/macosxsigning/{entitlements.plist => default.plist} (100%) rename src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/entitlements.plist => make/data/macosxsigning/java.plist (72%) create mode 100644 make/data/macosxsigning/jspawnhelper.plist create mode 100644 make/modules/jdk.incubator.jpackage/Gensrc.gmk diff --git a/make/CompileJavaModules.gmk b/make/CompileJavaModules.gmk index 9d46af5bfb2..85c2232ec7f 100644 --- a/make/CompileJavaModules.gmk +++ b/make/CompileJavaModules.gmk @@ -384,7 +384,7 @@ endif jdk.incubator.jpackage_COPY += .gif .png .txt .spec .script .prerm .preinst \ .postrm .postinst .list .sh .desktop .copyright .control .plist .template \ - .icns .scpt .entitlements .wxs .wxl .wxi .ico .bmp .tiff + .icns .scpt .wxs .wxl .wxi .ico .bmp .tiff jdk.incubator.jpackage_CLEAN += .properties diff --git a/make/common/NativeCompilation.gmk b/make/common/NativeCompilation.gmk index 4bce970dd33..1b30ff9e4f9 100644 --- a/make/common/NativeCompilation.gmk +++ b/make/common/NativeCompilation.gmk @@ -266,6 +266,19 @@ else endif endif +################################################################################ +# GetEntitlementsFile +# Find entitlements file for executable when signing on macosx. If no +# specialized file is found, returns the default file. +# $1 Executable to find entitlements file for. +ENTITLEMENTS_DIR := $(TOPDIR)/make/data/macosxsigning +DEFAULT_ENTITLEMENTS_FILE := $(ENTITLEMENTS_DIR)/default.plist + +GetEntitlementsFile = \ + $(foreach f, $(ENTITLEMENTS_DIR)/$(strip $(notdir $1)).plist, \ + $(if $(wildcard $f), $f, $(DEFAULT_ENTITLEMENTS_FILE)) \ + ) + ################################################################################ # Create the recipe needed to compile a single native source file. # @@ -1183,7 +1196,7 @@ define SetupNativeCompilationBody # silently fail otherwise. ifneq ($(CODESIGN), ) $(CODESIGN) -s "$(MACOSX_CODESIGN_IDENTITY)" --timestamp --options runtime \ - --entitlements $(TOPDIR)/make/data/macosxsigning/entitlements.plist $$@ + --entitlements $$(call GetEntitlementsFile, $$@) $$@ endif endif diff --git a/make/data/macosxsigning/entitlements.plist b/make/data/macosxsigning/default.plist similarity index 100% rename from make/data/macosxsigning/entitlements.plist rename to make/data/macosxsigning/default.plist diff --git a/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/entitlements.plist b/make/data/macosxsigning/java.plist similarity index 72% rename from src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/entitlements.plist rename to make/data/macosxsigning/java.plist index 677d0cc0408..b6f2a13ffa9 100644 --- a/src/jdk.incubator.jpackage/macosx/classes/jdk/incubator/jpackage/internal/resources/entitlements.plist +++ b/make/data/macosxsigning/java.plist @@ -1,5 +1,5 @@ - + com.apple.security.cs.allow-jit @@ -12,5 +12,7 @@ com.apple.security.cs.debugger + com.apple.security.device.audio-input + diff --git a/make/data/macosxsigning/jspawnhelper.plist b/make/data/macosxsigning/jspawnhelper.plist new file mode 100644 index 00000000000..484f4e01528 --- /dev/null +++ b/make/data/macosxsigning/jspawnhelper.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-dyld-environment-variables + + + diff --git a/make/modules/jdk.incubator.jpackage/Gensrc.gmk b/make/modules/jdk.incubator.jpackage/Gensrc.gmk new file mode 100644 index 00000000000..a62c8d45d53 --- /dev/null +++ b/make/modules/jdk.incubator.jpackage/Gensrc.gmk @@ -0,0 +1,46 @@ +# +# Copyright (c) 2020, Oracle and/or its affiliates. All rights reserved. +# DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER. +# +# This code is free software; you can redistribute it and/or modify it +# under the terms of the GNU General Public License version 2 only, as +# published by the Free Software Foundation. Oracle designates this +# particular file as subject to the "Classpath" exception as provided +# by Oracle in the LICENSE file that accompanied this code. +# +# This code is distributed in the hope that it will be useful, but WITHOUT +# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or +# FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License +# version 2 for more details (a copy is included in the LICENSE file that +# accompanied this code). +# +# You should have received a copy of the GNU General Public License version +# 2 along with this work; if not, write to the Free Software Foundation, +# Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA. +# +# Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA +# or visit www.oracle.com if you need additional information or have any +# questions. +# + +include GensrcCommonJdk.gmk + +################################################################################ +# Copy the entitlements file for the java launcher to jpackage as a resource. + +ifeq ($(call isTargetOs, macosx), true) + ENTITLEMENTS_SRC_FILE := $(TOPDIR)/make/data/macosxsigning/java.plist + ENTITLEMENTS_TARGET_FILE := \ + $(SUPPORT_OUTPUTDIR)/gensrc/$(MODULE)/jdk/incubator/jpackage/internal/resources/entitlements.plist + + $(ENTITLEMENTS_TARGET_FILE): $(ENTITLEMENTS_SRC_FILE) + $(call install-file) + + TARGETS := $(ENTITLEMENTS_TARGET_FILE) +endif + +################################################################################ + +all: $(TARGETS) + +.PHONY: all