Changeset 101279 in vbox for trunk

Timestamp:

Sep 27, 2023 7:22:13 AM (19 months ago)

Author:

vboxsync

svn:sync-xref-src-repo-rev:

159262

Message:

Installer/darwin: Use the automatically generated entitlements files to have it in one place and split the entitlements into a VM process and main bundle entitlements file

Location:

trunk

Files:

• Config.kmk (modified) (6 diffs)
• src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlements.plist (deleted)
• src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlementsVM.plist (deleted)
• src/VBox/Installer/darwin/Makefile.kmk (modified) (2 diffs)

trunk/Config.kmk

@@ -1700 +1700 @@
 ifeq ($(KBUILD_TARGET),darwin)
  #
+ # Common entitlements for the main and VM process bundle.
+ #
+ # The following two are required in the main bundle even though they apply only to the VM
+ # process. The issue is that TCC is looking up the primary bundle for these entitlements
+ # and crashes the VM process if the entitlements are not here even though they are used
+ # in the VM process only. This is not documented anywhere by Apple.
+ # From Console.app when these are missing:
+ #   tccd: [com.apple.TCC:access] Prompting policy for hardened runtime; service:
+ #       kTCCServiceMicrophone requires entitlement com.apple.security.device.audio-input but it is missing for
+ #           RESP:{
+ #               ID: org.virtualbox.app.VirtualBox,
+ #               PID[17253],
+ #               auid: 501,
+ #               euid: 501,
+ #               responsible path: '/Applications/VirtualBox.app/Contents/MacOS/VirtualBox',
+ #               binary path: '/Applications/VirtualBox.app/Contents/MacOS/VirtualBox'
+ #           },
+ #           REQ:{
+ #               ID: org.virtualbox.app.VirtualBoxVM,
+ #               PID[17331],
+ #               auid: 501,
+ #               euid: 501,
+ #               binary path: '/Applications/VirtualBox.app/Contents/Resources/VirtualBoxVM.app/Contents/MacOS/VirtualBoxVM'
+ #           }
+ VBOX_DARWIN_ENTITLEMENTS_LIST_COMMON := \
+        com.apple.security.device.audio-input \
+        com.apple.security.device.camera
+
+ #
  # The first two entitlements are required to get everything working
- # on Catalina which we want to keep supported for now.
+ # on Catalina which we want to keep supported for now:
+ #
+ #     The first entitlement allows us to have unsigned executable memory in the guests
+ #     address space like the BIOS code (and essentially all the guests address space which
+ #     is mapped as RWX).
+ #     The second entitlement is required in order to map guest memory as RWX into the
+ #     guests address space.
+ #     These entitlements are not required starting with BigSur+ where Apple has clearly
+ #     changed something in their entitlement scheme without properly documenting it.
  #
  # allow-jit   - for the recompiler in order to be able to generate and execute native code.
@@ -1707 +1744 @@
  # camera      - accessing the webcam from a guest.
  # usb         - USB passthrough.
+ # hypervisor  - Hypervisor entitlement in order to be able to use Hypervisor.framework
  #
- VBOX_DARWIN_ENTITLEMENTS_LIST := \
+ VBOX_DARWIN_ENTITLEMENTS_LIST_VM := \
+        $(VBOX_DARWIN_ENTITLEMENTS_LIST_COMMON) \
         com.apple.security.cs.allow-unsigned-executable-memory \
         com.apple.security.cs.disable-executable-page-protection \
         com.apple.security.cs.allow-jit \
-        com.apple.security.device.audio-input \
-        com.apple.security.device.camera \
-        com.apple.security.device.usb
+        com.apple.security.device.usb \
+        com.apple.security.hypervisor
 
  #
- # The hypervisor entitlement is required in adhoc signing mode
- # to get access to the Hypervisor framework. For release signing
- # the entitlement is included in our developer certificate.
- #
- # The device-access and networking entitlemnents are reserved for
+ # The device-access and networking entitlements are reserved for
  # only specific vendors and are only available in release mode signing
  # (binaries signed with these entitlements in adhoc mode will just crash
  # with a code signing error).
  #
- ifeq ($(VBOX_SIGNING_MODE),adhoc)
-  VBOX_DARWIN_ENTITLEMENTS_LIST += \
-        com.apple.security.hypervisor
- else
-  VBOX_DARWIN_ENTITLEMENTS_LIST += \
+ ifeq ($(VBOX_SIGNING_MODE),release)
+  VBOX_DARWIN_ENTITLEMENTS_LIST_VM += \
         com.apple.vm.device-access \
         com.apple.vm.networking
@@ -1736 +1767 @@
 
  # Where the dynamic generated entitlements can be found.
- VBOX_DARWIN_ENTITLEMENTS_FILE := $(PATH_OUT)/Entitlements.plist
+ VBOX_DARWIN_ENTITLEMENTS_FILE    := $(PATH_OUT)/Entitlements.plist
+ VBOX_DARWIN_ENTITLEMENTS_FILE_VM := $(PATH_OUT)/EntitlementsVM.plist
 endif
 
@@ -4453 +4485 @@
         $(if-expr defined(VBOX_TSA_URL),--timestamp="$(VBOX_TSA_URL)") \
         $(VBOX_CERTIFICATE_SUBJECT_NAME_ARGS) \
-        --entitlements="$(VBOX_DARWIN_ENTITLEMENTS_FILE)" \
+        --entitlements="$(VBOX_DARWIN_ENTITLEMENTS_FILE_VM)" \
         "$(1)" \
         $(if $(2),--identifier "$(2)",)
@@ -9086 +9118 @@
         $(QUIET)$(APPEND) [email protected] '</plist>'
         $(QUIET)$(MV) -f [email protected] $@
+
+ $(VBOX_DARWIN_ENTITLEMENTS_FILE_VM):
+        $(call MSG_GENERATE,,$@)
+        $(QUIET)$(MKDIR) -p $(@D)
+        $(QUIET)$(RM) -f $@ [email protected]
+        $(QUIET)$(APPEND) [email protected] '<?xml version="1.0" encoding="UTF-8"?>'
+        $(QUIET)$(APPEND) [email protected] '<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">'
+        $(QUIET)$(APPEND) [email protected] '<plist version="1.0">'
+        $(QUIET)$(APPEND) [email protected] '<dict>'
+        $(QUIET)$(APPEND) -n [email protected] $(foreach entitlement,$(VBOX_DARWIN_ENTITLEMENTS_LIST_VM), '        <key>$(entitlement)</key><true/>')
+        $(QUIET)$(APPEND) [email protected] '</dict>'
+        $(QUIET)$(APPEND) [email protected] '</plist>'
+        $(QUIET)$(MV) -f [email protected] $@
 endif
 
@@ -9094 +9139 @@
  Makefile.kmk: | $(VBOX_VERSION_HEADER) $(VBOX_VERSION_MK) $(VBOX_PRODUCT_HEADER) $(VBOX_PACKAGE_HEADER)
  ifeq ($(KBUILD_TARGET),darwin)
-  Makefile.kmk: | $(VBOX_DARWIN_ENTITLEMENTS_FILE)
+  Makefile.kmk: | $(VBOX_DARWIN_ENTITLEMENTS_FILE) $(VBOX_DARWIN_ENTITLEMENTS_FILE_VM)
  endif
 endif

trunk/src/VBox/Installer/darwin/Makefile.kmk

@@ -614 +614 @@
 endif
 
-VBOX_VIRTUALBOX_APP_ENTITLEMENTS := $(PATH_ROOT)/src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlements.plist
-VBOX_VIRTUALBOXVM_APP_ENTITLEMENTS := $(PATH_ROOT)/src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlementsVM.plist
+VBOX_VIRTUALBOX_APP_ENTITLEMENTS := $(VBOX_DARWIN_ENTITLEMENTS_FILE)
+VBOX_VIRTUALBOXVM_APP_ENTITLEMENTS := $(VBOX_DARWIN_ENTITLEMENTS_FILE)
 
 ##
@@ -634 +634 @@
  ifdef VBOX_VIRTUALBOX_APP_ID
   VBOX_VIRTUALBOX_APP_ENTITLEMENTS := $(VBOX_PATH_PACK_TMP)/SUPR3HardenedEntitlements.plist
-  $(evalcall2 def_vbox_entitlement_add_app_and_team_id,$(PATH_ROOT)/src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlements.plist,$(VBOX_VIRTUALBOX_APP_ENTITLEMENTS),$(VBOX_VIRTUALBOX_APP_ID),$(VBOX_PROVISIONPROFILE_TEAM_ID))
+  $(evalcall2 def_vbox_entitlement_add_app_and_team_id,$(VBOX_DARWIN_ENTITLEMENTS_FILE),$(VBOX_VIRTUALBOX_APP_ENTITLEMENTS),$(VBOX_VIRTUALBOX_APP_ID),$(VBOX_PROVISIONPROFILE_TEAM_ID))
  endif
 
  ifdef VBOX_VIRTUALBOXVM_APP_ID
   VBOX_VIRTUALBOXVM_APP_ENTITLEMENTS := $(VBOX_PATH_PACK_TMP)/SUPR3HardenedEntitlementsVM.plist
-  $(evalcall2 def_vbox_entitlement_add_app_and_team_id,$(PATH_ROOT)/src/VBox/HostDrivers/Support/darwin/SUPR3HardenedEntitlementsVM.plist,$(VBOX_VIRTUALBOXVM_APP_ENTITLEMENTS),$(VBOX_VIRTUALBOXVM_APP_ID),$(VBOX_PROVISIONPROFILE_TEAM_ID))
+  $(evalcall2 def_vbox_entitlement_add_app_and_team_id,$(VBOX_DARWIN_ENTITLEMENTS_FILE),$(VBOX_VIRTUALBOXVM_APP_ENTITLEMENTS),$(VBOX_VIRTUALBOXVM_APP_ID),$(VBOX_PROVISIONPROFILE_TEAM_ID))
  endif
 endif