vlc/vlc-3.0 | branch: master | David Fuhrmann <[email protected]> | Tue Oct 23 23:21:41 2018 +0200| [cdd2cbfb339fd63bd79a0df641a5ab1d87a77577] | committer: David Fuhrmann
macOS codesign: Add option to enable runtime hardening for macOS Mojave Runtime hardening restricts what the application can do, while not being a full sandbox. For instance, only signed code is loaded by default, and certain personal data is restricted in access. The following flags / options are set for now: - Allow execution of JIT code: For Lua Scripts - Disable library validation: libaries are also loaded if they are signed by the developer certificate of another developer, not from VideoLAN (still, unsigned libs are not loaded anymore) - Audio input access: For qtsound - Camera access: For avcapture - Apple Events: To control iTunes and Spotify (cherry picked from commit 77548a174cea044f4a4a1909c3e9371df44d1e6d) Signed-off-by: David Fuhrmann <[email protected]> > http://git.videolan.org/gitweb.cgi/vlc/vlc-3.0.git/?a=commit;h=cdd2cbfb339fd63bd79a0df641a5ab1d87a77577 --- extras/package/macosx/codesign.sh | 13 +++++++++++-- extras/package/macosx/package.mak | 1 + extras/package/macosx/vlc-hardening.entitlements | 16 ++++++++++++++++ 3 files changed, 28 insertions(+), 2 deletions(-) diff --git a/extras/package/macosx/codesign.sh b/extras/package/macosx/codesign.sh index 412c80ceb8..36e7213157 100755 --- a/extras/package/macosx/codesign.sh +++ b/extras/package/macosx/codesign.sh @@ -37,11 +37,12 @@ OPTIONS: -h Show this help -i Identity to use -g Developer ID certificate mode (validates with Gatekeeper) + -r Enable runtime hardening EOF } -while getopts "hi:g" OPTION +while getopts "hi:gr" OPTION do case $OPTION in h) @@ -54,6 +55,9 @@ do g) GK="yes" ;; + r) + RUNTIME="yes" + ;; *) usage exit 1 @@ -79,12 +83,17 @@ if [ -z "$VLCCACHEGEN" ]; then info "WARN: Cannot find vlc-cache-gen, cache will be corrupt after signing" fi +SCRIPTDIR=$(dirname "$0") +if [ ! -z "$RUNTIME" ]; then +RUNTIME_FLAGS="--options runtime --entitlements $SCRIPTDIR/vlc-hardening.entitlements" +fi + # Call with $1 = file or folder sign() { # info "Signing file $1 with identifier $IDENTIFIER" - codesign --force --verbose -s "$IDENTITY" "$1" + codesign --force --verbose $RUNTIME_FLAGS -s "$IDENTITY" "$1" } diff --git a/extras/package/macosx/package.mak b/extras/package/macosx/package.mak index 35f0567beb..186637dcd2 100644 --- a/extras/package/macosx/package.mak +++ b/extras/package/macosx/package.mak @@ -102,6 +102,7 @@ package-macosx-release: cp $(srcdir)/extras/package/macosx/dmg/* $(top_builddir)/vlc-$(VERSION)-release/ cp "$(srcdir)/extras/package/macosx/codesign.sh" $(top_builddir)/vlc-$(VERSION)-release/ cp "$(prefix)/lib/vlc/vlc-cache-gen" $(top_builddir)/vlc-$(VERSION)-release/ + cp "$(srcdir)/extras/package/macosx/vlc-hardening.entitlements" $(top_builddir)/vlc-$(VERSION)-release/ install_name_tool -add_rpath "@executable_path/VLC.app/Contents/MacOS/lib" $(top_builddir)/vlc-$(VERSION)-release/vlc-cache-gen zip -r -y -9 $(top_builddir)/vlc-$(VERSION)-release.zip $(top_builddir)/vlc-$(VERSION)-release rm -rf "$(top_builddir)/vlc-$(VERSION)-release" diff --git a/extras/package/macosx/vlc-hardening.entitlements b/extras/package/macosx/vlc-hardening.entitlements new file mode 100644 index 0000000000..592327e2f8 --- /dev/null +++ b/extras/package/macosx/vlc-hardening.entitlements @@ -0,0 +1,16 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd";> +<plist version="1.0"> +<dict> + <key>com.apple.security.automation.apple-events</key> + <true/> + <key>com.apple.security.cs.allow-jit</key> + <true/> + <key>com.apple.security.cs.disable-library-validation</key> + <true/> + <key>com.apple.security.device.audio-input</key> + <true/> + <key>com.apple.security.device.camera</key> + <true/> +</dict> +</plist> _______________________________________________ vlc-commits mailing list [email protected] https://mailman.videolan.org/listinfo/vlc-commits
