generate_dump, exception_port_tool: set SecTaskAccess allowed.

This adds an Info.plist to these two tools that use task_for_pid(). Since they’re flat unbundled executables, the Info.plist must be placed as a __TEXT,__info_plist section. By setting SecTaskAccess to allowed and signing these tools with a certificate trusted by the system, they will be allowed to use task_for_pid() without requiring the invoking user to be root. This provides an alternative to installing these tools as setuid root. R=rsesek@chromium.org Review URL: https://codereview.chromium.org/822533002
2024-12-26 23:01:05 +08:00 · 2014-12-30 14:27:58 -05:00 · 2014-12-30 14:27:58 -05:00 · 3ee6566051
commit 3ee6566051
parent f4ec7ba590
4 changed files with 65 additions and 8 deletions
--- a/tools/generate_dump.ad
+++ b/tools/generate_dump.ad
@ -40,10 +40,11 @@ it will be generated from a live running process, not as a result of an
 exception occurring.

 This program uses +task_for_pid()+ to access the process’ task port. This
-operation may be restricted to use by the superuser or processes permitted by
-taskgated(8). Consequently, this program must normally be invoked by root. It is
-possible to install this program as a setuid root executable to overcome this
-limitation.
+operation may be restricted to use by the superuser, executables signed by an
+authority trusted by the system, and processes otherwise permitted by
+taskgated(8). Consequently, this program must normally either be signed or be
+invoked by root. It is possible to install this program as a setuid root
+executable to overcome this limitation.

 This program is similar to the gcore(1) program available on some operating
 systems.
--- a/tools/mac/exception_port_tool.ad
+++ b/tools/mac/exception_port_tool.ad
@ -92,10 +92,11 @@ with process id 'PID' instead of the current task associated with the tool. When
 this option is supplied, 'COMMAND' must not be specified.
 +
 This option uses +task_for_pid()+ to access the process’ task port. This
-operation may be restricted to use by the superuser or processes permitted by
-taskgated(8). Consequently, this program must normally be invoked by root to use
-this option. It is possible to install this program as a setuid root executable
-to overcome this limitation.
+operation may be restricted to use by the superuser, executables signed by an
+authority trusted by the system, and processes otherwise permitted by
+taskgated(8). Consequently, this program must normally either be signed or be
+invoked by root to use this option. It is possible to install this program as a
+setuid root executable to overcome this limitation.

 *-h*, *--show-host*::
 Shows the original host exception ports before making any changes requested by
--- a/tools/mac/sectaskaccess_info.plist
+++ b/tools/mac/sectaskaccess_info.plist
@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>CFBundleInfoDictionaryVersion</key>
+	<string>6.0</string>
+	<key>SecTaskAccess</key>
+	<array>
+		<string>allowed</string>
+	</array>
+</dict>
+</plist>
--- a/tools/tools.gyp
+++ b/tools/tools.gyp
@ -15,6 +15,33 @@
 {
  'conditions': [
    ['OS=="mac"', {
+      'variables': {
+        # Programs that use task_for_pid() can indicate to taskgated(8) in their
+        # Info.plist that they are allowed to call that function. In order for
+        # this to work, the programs in question must be signed by an authority
+        # trusted by the system. Signing is beyond the scope of the build, but
+        # the key to make this work is placed in Info.plist to enable the
+        # desired behavior once the tools that require this access are signed.
+        #
+        # The tools built here are flat-file executables, and are not bundled.
+        # To have an Info.plist, they must have a special __TEXT,__info_plist
+        # section. This section is created at link time.
+        #
+        # The Info.plist for this purpose is mac/sectaskaccess_info.plist and is
+        # referenced by OTHER_LDFLAGS. ninja runs the link step from the output
+        # directory such as out/Release, and requires a relative path from that
+        # directory. Xcode runs the link step from the directory of the
+        # .xcodeproj, which is the directory of the .gyp file.
+        'conditions': [
+          ['GENERATOR=="ninja"', {
+            'sectaskaccess_info_plist':
+                '../../tools/mac/sectaskaccess_info.plist',
+          }, {  # else: GENERATOR!="ninja"
+            'sectaskaccess_info_plist': 'mac/sectaskaccess_info.plist',
+          }],
+        ],
+      },
+
      'targets': [
        {
          'target_name': 'tool_support',
@ -61,6 +88,14 @@
          'sources': [
            'mac/exception_port_tool.cc',
          ],
+          'xcode_settings': {
+            'OTHER_LDFLAGS': [
+              '-sectcreate',
+              '__TEXT',
+              '__info_plist',
+              '<(sectaskaccess_info_plist)'
+            ],
+          },
        },
        {
          'target_name': 'generate_dump',
@ -79,6 +114,14 @@
          'sources': [
            'generate_dump.cc',
          ],
+          'xcode_settings': {
+            'OTHER_LDFLAGS': [
+              '-sectcreate',
+              '__TEXT',
+              '__info_plist',
+              '<(sectaskaccess_info_plist)'
+            ],
+          },
        },
        {
          'target_name': 'on_demand_service_tool',