vlc | branch: master | David Fuhrmann <[email protected]> | Tue Oct 23 23:21:41 2018 +0200| [77548a174cea044f4a4a1909c3e9371df44d1e6d] | committer: David Fuhrmann
macOS codesign: Add option to enable runtime hardening for macOS Mojave Runtime hardening restricts what the application can do, while not being a full sandbox. For instance, only signed code is loaded by default, and certain personal data is restricted in access. The following flags / options are set for now: - Allow execution of JIT code: For Lua Scripts - Disable library validation: libaries are also loaded if they are signed by the developer certificate of another developer, not from VideoLAN (still, unsigned libs are not loaded anymore) - Audio input access: For qtsound - Camera access: For avcapture - Apple Events: To control iTunes and Spotify > http://git.videolan.org/gitweb.cgi/vlc.git/?a=commit;h=77548a174cea044f4a4a1909c3e9371df44d1e6d --- extras/package/macosx/VLC.xcodeproj/project.pbxproj | 17 +++++++++++++++-- extras/package/macosx/codesign.sh | 13 +++++++++++-- extras/package/macosx/package.mak | 1 + extras/package/macosx/vlc-hardening.entitlements | 16 ++++++++++++++++ 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/extras/package/macosx/VLC.xcodeproj/project.pbxproj b/extras/package/macosx/VLC.xcodeproj/project.pbxproj index e12ff37933..7dcbd72816 100644 --- a/extras/package/macosx/VLC.xcodeproj/project.pbxproj +++ b/extras/package/macosx/VLC.xcodeproj/project.pbxproj @@ -160,6 +160,7 @@ 1C67C8A71D58C0A40079E1C1 /* VLCAboutWindowController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = VLCAboutWindowController.m; sourceTree = "<group>"; }; 1C7CB91A1D787E7600388902 /* VLCPopupPanelController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VLCPopupPanelController.h; sourceTree = "<group>"; }; 1C7CB91B1D787E7600388902 /* VLCPopupPanelController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = VLCPopupPanelController.m; sourceTree = "<group>"; }; + 1C864182217D318900D2CF7C /* vlc-hardening.entitlements */ = {isa = PBXFileReference; lastKnownFileType = text.plist.entitlements; path = "vlc-hardening.entitlements"; sourceTree = "<group>"; }; 1CAC3EE620CD1B3B00613DB2 /* VLCVideoOutputProvider.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = VLCVideoOutputProvider.m; sourceTree = "<group>"; }; 1CAC3EE720CD1B3B00613DB2 /* VLCVideoOutputProvider.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VLCVideoOutputProvider.h; sourceTree = "<group>"; }; 1CAEBBFF1E1EC0A400A99E49 /* VLCFSPanelDraggableView.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = VLCFSPanelDraggableView.h; sourceTree = "<group>"; }; @@ -578,6 +579,7 @@ 089C166AFE841209C02AAC07 /* vlc */ = { isa = PBXGroup; children = ( + 1C864182217D318900D2CF7C /* vlc-hardening.entitlements */, CC6C01A40DDF3E7800C7D754 /* Minimal macOS interface */, CCC8957F0D9A8A61005AE59C /* macOS-specific libvlc source files */, 08FB77AFFE84173DC02AAC07 /* macOS Interface Classes */, @@ -1540,10 +1542,15 @@ TargetAttributes = { 1CCB5F2E1A62A6A5004C3E90 = { CreatedOnToolsVersion = 6.1.1; + SystemCapabilities = { + com.apple.HardenedRuntime = { + enabled = 1; + }; + }; }; }; }; - buildConfigurationList = C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "VLC" */; + buildConfigurationList = C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "vlc" */; compatibilityVersion = "Xcode 6.3"; developmentRegion = English; hasScannedForEncodings = 1; @@ -1696,9 +1703,11 @@ buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; CLANG_ENABLE_OBJC_ARC = YES; + CODE_SIGN_ENTITLEMENTS = "vlc-hardening.entitlements"; CODE_SIGN_IDENTITY = ""; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = NO; + ENABLE_HARDENED_RUNTIME = YES; FRAMEWORK_SEARCH_PATHS = "${VLC_SRC_DIR}/contrib/${VLC_BUILD_TRIPLET}/Frameworks"; GCC_PREPROCESSOR_DEFINITIONS = ( "HAVE_CONFIG_H=1", @@ -1731,10 +1740,12 @@ buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; CLANG_ENABLE_OBJC_ARC = YES; + CODE_SIGN_ENTITLEMENTS = "vlc-hardening.entitlements"; CODE_SIGN_IDENTITY = ""; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_HARDENED_RUNTIME = YES; FRAMEWORK_SEARCH_PATHS = "${VLC_SRC_DIR}/contrib/${VLC_BUILD_TRIPLET}/Frameworks"; GCC_PREPROCESSOR_DEFINITIONS = ( "HAVE_CONFIG_H=1", @@ -1766,10 +1777,12 @@ buildSettings = { ALWAYS_SEARCH_USER_PATHS = NO; CLANG_ENABLE_OBJC_ARC = YES; + CODE_SIGN_ENTITLEMENTS = "vlc-hardening.entitlements"; CODE_SIGN_IDENTITY = ""; COMBINE_HIDPI_IMAGES = YES; COPY_PHASE_STRIP = YES; DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; + ENABLE_HARDENED_RUNTIME = YES; FRAMEWORK_SEARCH_PATHS = "${VLC_SRC_DIR}/contrib/${VLC_BUILD_TRIPLET}/Frameworks"; GCC_PREPROCESSOR_DEFINITIONS = ( "HAVE_CONFIG_H=1", @@ -1955,7 +1968,7 @@ defaultConfigurationIsVisible = 0; defaultConfigurationName = Default; }; - C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "VLC" */ = { + C2F2A6EA09588F1B00018C74 /* Build configuration list for PBXProject "vlc" */ = { isa = XCConfigurationList; buildConfigurations = ( C2F2A6EB09588F1B00018C74 /* Development */, diff --git a/extras/package/macosx/codesign.sh b/extras/package/macosx/codesign.sh index 267314a05b..f6b5a3a8cc 100755 --- a/extras/package/macosx/codesign.sh +++ b/extras/package/macosx/codesign.sh @@ -37,11 +37,12 @@ OPTIONS: -h Show this help -i Identity to use -g Developer ID certificate mode (validates with Gatekeeper) + -r Enable runtime hardening EOF } -while getopts "hi:g" OPTION +while getopts "hi:gr" OPTION do case $OPTION in h) @@ -54,6 +55,9 @@ do g) GK="yes" ;; + r) + RUNTIME="yes" + ;; *) usage exit 1 @@ -79,12 +83,17 @@ if [ -z "$VLCCACHEGEN" ]; then info "WARN: Cannot find vlc-cache-gen, cache will be corrupt after signing" fi +SCRIPTDIR=$(dirname "$0") +if [ ! -z "$RUNTIME" ]; then +RUNTIME_FLAGS="--options runtime --entitlements $SCRIPTDIR/vlc-hardening.entitlements" +fi + # Call with $1 = file or folder sign() { # info "Signing file $1 with identifier $IDENTIFIER" - codesign --force --verbose -s "$IDENTITY" "$1" + codesign --force --verbose $RUNTIME_FLAGS -s "$IDENTITY" "$1" } diff --git a/extras/package/macosx/package.mak b/extras/package/macosx/package.mak index a2b1bf2a66..8b42a228cd 100644 --- a/extras/package/macosx/package.mak +++ b/extras/package/macosx/package.mak @@ -94,6 +94,7 @@ package-macosx-release: cp -Rp $(top_builddir)/VLC.app $(top_builddir)/vlc-$(VERSION)-release/ cp $(srcdir)/extras/package/macosx/dmg/* $(top_builddir)/vlc-$(VERSION)-release/ cp "$(srcdir)/extras/package/macosx/codesign.sh" $(top_builddir)/vlc-$(VERSION)-release/ + cp "$(srcdir)/extras/package/macosx/vlc-hardening.entitlements" $(top_builddir)/vlc-$(VERSION)-release/ cp "$(pkglibexecdir)/vlc-cache-gen" $(top_builddir)/vlc-$(VERSION)-release/ install_name_tool -add_rpath "@executable_path/VLC.app/Contents/MacOS/lib" $(top_builddir)/vlc-$(VERSION)-release/vlc-cache-gen zip -r -y -9 $(top_builddir)/vlc-$(VERSION)-release.zip $(top_builddir)/vlc-$(VERSION)-release diff --git a/extras/package/macosx/vlc-hardening.entitlements b/extras/package/macosx/vlc-hardening.entitlements new file mode 100644 index 0000000000..592327e2f8 --- /dev/null +++ b/extras/package/macosx/vlc-hardening.entitlements @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> +<plist version="1.0"> +<dict> + <key>com.apple.security.automation.apple-events</key> + <true/> + <key>com.apple.security.cs.allow-jit</key> + <true/> + <key>com.apple.security.cs.disable-library-validation</key> + <true/> + <key>com.apple.security.device.audio-input</key> + <true/> + <key>com.apple.security.device.camera</key> + <true/> +</dict> +</plist> _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
