mirror of
https://github.com/chromium/crashpad.git
synced 2025-01-14 01:08:01 +08:00
generate_dump, exception_port_tool: set SecTaskAccess allowed.
This adds an Info.plist to these two tools that use task_for_pid(). Since they’re flat unbundled executables, the Info.plist must be placed as a __TEXT,__info_plist section. By setting SecTaskAccess to allowed and signing these tools with a certificate trusted by the system, they will be allowed to use task_for_pid() without requiring the invoking user to be root. This provides an alternative to installing these tools as setuid root. R=rsesek@chromium.org Review URL: https://codereview.chromium.org/822533002
This commit is contained in:
parent
f4ec7ba590
commit
3ee6566051
@ -40,10 +40,11 @@ it will be generated from a live running process, not as a result of an
|
|||||||
exception occurring.
|
exception occurring.
|
||||||
|
|
||||||
This program uses +task_for_pid()+ to access the process’ task port. This
|
This program uses +task_for_pid()+ to access the process’ task port. This
|
||||||
operation may be restricted to use by the superuser or processes permitted by
|
operation may be restricted to use by the superuser, executables signed by an
|
||||||
taskgated(8). Consequently, this program must normally be invoked by root. It is
|
authority trusted by the system, and processes otherwise permitted by
|
||||||
possible to install this program as a setuid root executable to overcome this
|
taskgated(8). Consequently, this program must normally either be signed or be
|
||||||
limitation.
|
invoked by root. It is possible to install this program as a setuid root
|
||||||
|
executable to overcome this limitation.
|
||||||
|
|
||||||
This program is similar to the gcore(1) program available on some operating
|
This program is similar to the gcore(1) program available on some operating
|
||||||
systems.
|
systems.
|
||||||
|
@ -92,10 +92,11 @@ with process id 'PID' instead of the current task associated with the tool. When
|
|||||||
this option is supplied, 'COMMAND' must not be specified.
|
this option is supplied, 'COMMAND' must not be specified.
|
||||||
+
|
+
|
||||||
This option uses +task_for_pid()+ to access the process’ task port. This
|
This option uses +task_for_pid()+ to access the process’ task port. This
|
||||||
operation may be restricted to use by the superuser or processes permitted by
|
operation may be restricted to use by the superuser, executables signed by an
|
||||||
taskgated(8). Consequently, this program must normally be invoked by root to use
|
authority trusted by the system, and processes otherwise permitted by
|
||||||
this option. It is possible to install this program as a setuid root executable
|
taskgated(8). Consequently, this program must normally either be signed or be
|
||||||
to overcome this limitation.
|
invoked by root to use this option. It is possible to install this program as a
|
||||||
|
setuid root executable to overcome this limitation.
|
||||||
|
|
||||||
*-h*, *--show-host*::
|
*-h*, *--show-host*::
|
||||||
Shows the original host exception ports before making any changes requested by
|
Shows the original host exception ports before making any changes requested by
|
||||||
|
12
tools/mac/sectaskaccess_info.plist
Normal file
12
tools/mac/sectaskaccess_info.plist
Normal file
@ -0,0 +1,12 @@
|
|||||||
|
<?xml version="1.0" encoding="UTF-8"?>
|
||||||
|
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
|
||||||
|
<plist version="1.0">
|
||||||
|
<dict>
|
||||||
|
<key>CFBundleInfoDictionaryVersion</key>
|
||||||
|
<string>6.0</string>
|
||||||
|
<key>SecTaskAccess</key>
|
||||||
|
<array>
|
||||||
|
<string>allowed</string>
|
||||||
|
</array>
|
||||||
|
</dict>
|
||||||
|
</plist>
|
@ -15,6 +15,33 @@
|
|||||||
{
|
{
|
||||||
'conditions': [
|
'conditions': [
|
||||||
['OS=="mac"', {
|
['OS=="mac"', {
|
||||||
|
'variables': {
|
||||||
|
# Programs that use task_for_pid() can indicate to taskgated(8) in their
|
||||||
|
# Info.plist that they are allowed to call that function. In order for
|
||||||
|
# this to work, the programs in question must be signed by an authority
|
||||||
|
# trusted by the system. Signing is beyond the scope of the build, but
|
||||||
|
# the key to make this work is placed in Info.plist to enable the
|
||||||
|
# desired behavior once the tools that require this access are signed.
|
||||||
|
#
|
||||||
|
# The tools built here are flat-file executables, and are not bundled.
|
||||||
|
# To have an Info.plist, they must have a special __TEXT,__info_plist
|
||||||
|
# section. This section is created at link time.
|
||||||
|
#
|
||||||
|
# The Info.plist for this purpose is mac/sectaskaccess_info.plist and is
|
||||||
|
# referenced by OTHER_LDFLAGS. ninja runs the link step from the output
|
||||||
|
# directory such as out/Release, and requires a relative path from that
|
||||||
|
# directory. Xcode runs the link step from the directory of the
|
||||||
|
# .xcodeproj, which is the directory of the .gyp file.
|
||||||
|
'conditions': [
|
||||||
|
['GENERATOR=="ninja"', {
|
||||||
|
'sectaskaccess_info_plist':
|
||||||
|
'../../tools/mac/sectaskaccess_info.plist',
|
||||||
|
}, { # else: GENERATOR!="ninja"
|
||||||
|
'sectaskaccess_info_plist': 'mac/sectaskaccess_info.plist',
|
||||||
|
}],
|
||||||
|
],
|
||||||
|
},
|
||||||
|
|
||||||
'targets': [
|
'targets': [
|
||||||
{
|
{
|
||||||
'target_name': 'tool_support',
|
'target_name': 'tool_support',
|
||||||
@ -61,6 +88,14 @@
|
|||||||
'sources': [
|
'sources': [
|
||||||
'mac/exception_port_tool.cc',
|
'mac/exception_port_tool.cc',
|
||||||
],
|
],
|
||||||
|
'xcode_settings': {
|
||||||
|
'OTHER_LDFLAGS': [
|
||||||
|
'-sectcreate',
|
||||||
|
'__TEXT',
|
||||||
|
'__info_plist',
|
||||||
|
'<(sectaskaccess_info_plist)'
|
||||||
|
],
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
'target_name': 'generate_dump',
|
'target_name': 'generate_dump',
|
||||||
@ -79,6 +114,14 @@
|
|||||||
'sources': [
|
'sources': [
|
||||||
'generate_dump.cc',
|
'generate_dump.cc',
|
||||||
],
|
],
|
||||||
|
'xcode_settings': {
|
||||||
|
'OTHER_LDFLAGS': [
|
||||||
|
'-sectcreate',
|
||||||
|
'__TEXT',
|
||||||
|
'__info_plist',
|
||||||
|
'<(sectaskaccess_info_plist)'
|
||||||
|
],
|
||||||
|
},
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
'target_name': 'on_demand_service_tool',
|
'target_name': 'on_demand_service_tool',
|
||||||
|
Loading…
x
Reference in New Issue
Block a user