Commit c46f3c86 authored by boklm's avatar boklm Committed by Richard Pospesel
Browse files

Bug 29815: Update macos signing entitlements files 

Taken from Firefox tree in security/mac/hardenedruntime/production.entitlements.xml
in esr115 branch.
parent d9e3782e

tools/signing/alpha.entitlements.xml

+3 −27
Original line number Diff line number Diff line 
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<!--

     Entitlements to apply to the .app bundle and all executable files

     contained within it during codesigning of production channel builds that

     will be notarized. These entitlements enable hardened runtime protections

     to the extent possible for Firefox. Some supporting binaries within the

     bundle could use more restrictive entitlements, but they are launched by

     the main Firefox process and therefore inherit the parent process

     entitlements.

     Entitlements to apply during codesigning of production builds.

-->

<plist version="1.0">

  <dict>

    <!-- Firefox does not use MAP_JIT for executable mappings -->

    <key>com.apple.security.cs.allow-jit</key><false/>



    <!-- Firefox needs to create executable pages (without MAP_JIT) -->

    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>



    <!-- Code paged in from disk should match the signature at page in-time -->

    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>



    <!-- Allow dyld environment variables. Needed because Firefox uses

         dyld variables to load libaries from within the .app bundle. -->

    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>



    <!-- Don't allow debugging of the executable. Debuggers will be prevented

         from attaching to running executables. Notarization does not permit

         access to get-task-allow (as documented by Apple) so this must be

         disabled on notarized builds. -->

    <key>com.apple.security.get-task-allow</key><false/>

    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->

    <key>com.apple.security.cs.disable-library-validation</key><true/>



    <!-- Firefox needs to access the microphone on sites the user allows -->

    <key>com.apple.security.device.audio-input</key><true/>
@@ -39,11 +20,6 @@ 
    <!-- Firefox needs to access the location on sites the user allows -->

    <key>com.apple.security.personal-information.location</key><true/>



    <!-- Allow Firefox to send Apple events to other applications. Needed

         for native messaging webextension helper applications launched by

         Firefox which rely on Apple Events to signal other processes. -->

    <key>com.apple.security.automation.apple-events</key><true/>



    <!-- For SmartCardServices(7) -->

    <key>com.apple.security.smartcard</key><true/>

  </dict>

tools/signing/release.entitlements.xml

+3 −27
Original line number Diff line number Diff line 
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<!--

     Entitlements to apply to the .app bundle and all executable files

     contained within it during codesigning of production channel builds that

     will be notarized. These entitlements enable hardened runtime protections

     to the extent possible for Firefox. Some supporting binaries within the

     bundle could use more restrictive entitlements, but they are launched by

     the main Firefox process and therefore inherit the parent process

     entitlements.

     Entitlements to apply during codesigning of production builds.

-->

<plist version="1.0">

  <dict>

    <!-- Firefox does not use MAP_JIT for executable mappings -->

    <key>com.apple.security.cs.allow-jit</key><false/>



    <!-- Firefox needs to create executable pages (without MAP_JIT) -->

    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>



    <!-- Code paged in from disk should match the signature at page in-time -->

    <key>com.apple.security.cs.disable-executable-page-protection</key><false/>



    <!-- Allow dyld environment variables. Needed because Firefox uses

         dyld variables to load libaries from within the .app bundle. -->

    <key>com.apple.security.cs.allow-dyld-environment-variables</key><true/>



    <!-- Don't allow debugging of the executable. Debuggers will be prevented

         from attaching to running executables. Notarization does not permit

         access to get-task-allow (as documented by Apple) so this must be

         disabled on notarized builds. -->

    <key>com.apple.security.get-task-allow</key><false/>

    <!-- Allow loading third party libraries. Needed for Flash and CDMs -->

    <key>com.apple.security.cs.disable-library-validation</key><true/>



    <!-- Firefox needs to access the microphone on sites the user allows -->

    <key>com.apple.security.device.audio-input</key><true/>
@@ -39,11 +20,6 @@ 
    <!-- Firefox needs to access the location on sites the user allows -->

    <key>com.apple.security.personal-information.location</key><true/>



    <!-- Allow Firefox to send Apple events to other applications. Needed

         for native messaging webextension helper applications launched by

         Firefox which rely on Apple Events to signal other processes. -->

    <key>com.apple.security.automation.apple-events</key><true/>



    <!-- For SmartCardServices(7) -->

    <key>com.apple.security.smartcard</key><true/>

  </dict>