[WIP] Remove unsigned executable entitlement

[mangod9]

we should be able to now remove this particular entitlement: allow-unsigned-executable-memory. Fixes #45677

[mangod9]

@janvorli @mikem8361 what is the best way to validate this locally? Doesnt look like local builds are signed?

[janvorli]

What I usually do is to publish a self contained testing .NET app, store it in a special directory structure and sign the native binaries and include the entitlements.

Here are the steps:

• Create a directory mytest.app (any name would do, but the extension is important, I believe)
• Inside of that, create a dir Contents
• Inside of it, create dirs MacOS and Resources and also a file named Info.plist with the following contents:

CFBundleExecutable your_app_host_name

* Copy all the test app binaries into the MacOS dir

Somewhere out of that dir structure, create a file named entitlements.plist with the content from the file in this PR.

• Sign the native binaries of the test app like the host, libcoreclr.dylib etc. using the following pattern

codesign --deep --force --sign "Apple Development: janvorli@microsoft.com (XXXXXXXXX)" -o runtime --entitlements /your/path/to/entitlements.plist libcoreclr.dylib

The string after the --sign is your developer certificate name. If you don't have a developer certificate yet, you'll need to create one. I am not sure about the steps I've used to create ones, but I think the following document describes them: https://ioscodesigning.com/generating-code-signing-files/

After that, just execute the host executable from the MacOS dir

[mangod9]

Closing for now, will reopen when ready to merge.

[mangod9]

I have tested that the changed entitlements do seem to work:

% codesign -d --entitlements :- MacOS/Test
2021-06-14 23:51:05.581 codesign[27750:76939611] There was an error parsing the Info.plist for the bundle at URL <0x157e0e960>: NSCocoaErrorDomain - 3840
Executable=/Users/manishg/temp/mytest.app/Contents/MacOS/Test
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
  <dict>
    <key>com.apple.security.cs.allow-jit</key>
      <true/>
    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
      <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
      <true/>
    <key>com.apple.security.cs.debugger</key>
      <true/>
    <key>com.apple.security.get-task-allow</key>
      <true/>
  </dict>
</plist>

I do see an error but the app does seem to function without the allow-unsigned-executable-memory entitlement.

[janvorli]

LGTM, thank you for testing it!

[akoeplinger]

@mangod9 there seems to be another copy of the entitlements.plist file checked in here:
https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=%2Feng%2Fpipeline%2Ftools%2Fentitlements.plist&_a=contents&version=GBmain

which appears to be used to sign/notarize dotnet and apphost:

https://dev.azure.com/dnceng/internal/_git/dotnet-release?path=%2Feng%2Fpipeline%2Ftemplates%2Fsteps%2Fnotarize-pkgs.yml&version=GBmain&line=44&lineEnd=49&lineStartColumn=1&lineEndColumn=60&lineStyle=plain&_a=contents

@mmitche do we use that file for signing the shipping bits? or what is it used for?

[mangod9]

ah good catch @akoeplinger . cc @jcagme @mikem8361 since they added the two files. I can update the other one too.

[mikem8361]

Yes, this entitlements.plist is used to entitle the hosts with the com.apple.security.get-task-allow which is needed for createdump to work and for debugging. It was created by in 5.0 and I assumed it was in the same directory as all the other .plist files.

So who wants to remove the com.apple.security.cs.allow-unsigned-executable-memory entitlement?

[mangod9]

customer had asked about com.apple.security.cs.allow-unsigned-executable-memory and shouldnt be required for runtime. Is it still required for createdump and/or diagnostics? If so we would need to separate out the files.

[mikem8361]

I don't think that createdump/debugging and the hosts need this entitlement. They still need to be separate files because they add the debugging specific entitlements.

[akoeplinger]

I'm not sure if we can just change the file in the dotnet-release repo, it might be used for 5.0 releases as well?

It'd be great if the entitlements.plist in dotnet/runtime was actually used as the source of truth.

[janvorli]

@akoeplinger even .NET 5 and .NET Core 3.1 stuff didn't need that enlistment entitlement. It was added kind of by accident.

[janvorli]

(We use MAP_JIT to all executable memory mappings since 3.1)

[mangod9]

I will check with @jcagme to ensure we dont revert it in 5/3.1, since that would need to go through approvals.