Give the new Mac helper variants the entitlements they require.

- The Renderer helper gets com.apple.security.cs.allow-jit, which is
  used with MAP_JIT when allocating pages for V8.
- The Plugin helper gets com.apple.security.cs.disable-library-validation,
  allowing it to load non-Team ID-signed libraries (e.g. Flash), and
  com.apple.security.cs.allow-unsigned-executable-memory required to
  run Flash content and NaCl modules.

Bug: 850193
Change-Id: Iefaac47d85683b7a5e155b169cd4eb5d5f94bd16
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1664834
Reviewed-by: Mark Mentovai <mark@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#670230}

chrome/app/helper-plugin-entitlements.plist

@@ -0,0 +1,10 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+	<true/>
+	<key>com.apple.security.cs.disable-library-validation</key>
+	<true/>
+</dict>
+</plist>

chrome/app/helper-renderer-entitlements.plist

@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.allow-jit</key>
+	<true/>
+</dict>
+</plist>

chrome/installer/mac/BUILD.gn

@@ -81,6 +81,8 @@ copy("copies") {
     "$root_out_dir/liblzma_decompress.dylib",
     "$root_out_dir/xz",
     "$root_out_dir/xzdec",
+    "//chrome/app/helper-plugin-entitlements.plist",
+    "//chrome/app/helper-renderer-entitlements.plist",
     "app_resource_rules.plist",
     "dirdiffer.sh",
     "dirpatcher.sh",

chrome/installer/mac/signing/modification.py

@@ -161,9 +161,11 @@ def _process_entitlements(paths, dist, config):
         if dist.channel_customize:
             with commands.PlistContext(
                     entitlements_file, rewrite=True) as entitlements:
-                app_id = entitlements[_ENT_APP_ID]
-                entitlements[_ENT_APP_ID] = app_id.replace(
-                    config.base_config.base_bundle_id, config.base_bundle_id)
+                if _ENT_APP_ID in entitlements:
+                    app_id = entitlements[_ENT_APP_ID]
+                    entitlements[_ENT_APP_ID] = app_id.replace(
+                        config.base_config.base_bundle_id,
+                        config.base_bundle_id)
 
 
 def customize_distribution(paths, dist, config):

chrome/installer/mac/signing/modification_test.py

@@ -26,6 +26,8 @@ def plist_read(*args):
         '$W/app-entitlements.plist': {
             'com.apple.application-identifier': bundle_id
         },
+        '$W/helper-renderer-entitlements.plist': {},
+        '$W/helper-plugin-entitlements.plist': {},
         '$W/App Product Canary.app/Contents/Resources/test.signing.bundle_id.canary.manifest/Contents/Resources/test.signing.bundle_id.canary.manifest':
             {
                 'pfm_domain': bundle_id
@@ -64,9 +66,15 @@ def test_base_distribution(self, plistlib, **kwargs):
             '$W/App Product.app/Contents/Info.plist',
         )
 
-        kwargs['copy_files'].assert_called_once_with(
-            '$I/Product Packaging/app-entitlements.plist',
-            '$W/app-entitlements.plist')
+        self.assertEqual(3, kwargs['copy_files'].call_count)
+        kwargs['copy_files'].assert_has_calls([
+            mock.call('$I/Product Packaging/app-entitlements.plist',
+                      '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist')
+        ])
         self.assertEqual(0, kwargs['move_file'].call_count)
         self.assertEqual(0, kwargs['write_file'].call_count)
 
@@ -86,9 +94,15 @@ def test_distribution_with_brand(self, plistlib, **kwargs):
             '$W/App Product.app/Contents/Info.plist',
         )
 
-        kwargs['copy_files'].assert_called_once_with(
-            '$I/Product Packaging/app-entitlements.plist',
-            '$W/app-entitlements.plist')
+        self.assertEqual(3, kwargs['copy_files'].call_count)
+        kwargs['copy_files'].assert_has_calls([
+            mock.call('$I/Product Packaging/app-entitlements.plist',
+                      '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist')
+        ])
         self.assertEqual(0, kwargs['move_file'].call_count)
 
     def test_distribution_with_channel(self, plistlib, **kwargs):
@@ -108,9 +122,15 @@ def test_distribution_with_channel(self, plistlib, **kwargs):
             '$W/App Product.app/Contents/Info.plist',
         )
 
-        kwargs['copy_files'].assert_called_once_with(
-            '$I/Product Packaging/app-entitlements.plist',
-            '$W/app-entitlements.plist')
+        self.assertEqual(3, kwargs['copy_files'].call_count)
+        kwargs['copy_files'].assert_has_calls([
+            mock.call('$I/Product Packaging/app-entitlements.plist',
+                      '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist')
+        ])
         self.assertEqual(0, kwargs['move_file'].call_count)
         self.assertEqual(0, kwargs['write_file'].call_count)
 
@@ -130,9 +150,15 @@ def test_distribution_with_product_dirname(self, plistlib, **kwargs):
             '$W/App Product.app/Contents/Info.plist',
         )
 
-        kwargs['copy_files'].assert_called_once_with(
-            '$I/Product Packaging/app-entitlements.plist',
-            '$W/app-entitlements.plist')
+        self.assertEqual(3, kwargs['copy_files'].call_count)
+        kwargs['copy_files'].assert_has_calls([
+            mock.call('$I/Product Packaging/app-entitlements.plist',
+                      '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist')
+        ])
         self.assertEqual(0, kwargs['move_file'].call_count)
         self.assertEqual(0, kwargs['write_file'].call_count)
 
@@ -152,9 +178,15 @@ def test_distribution_with_creator_code(self, plistlib, **kwargs):
             '$W/App Product.app/Contents/Info.plist',
         )
 
-        kwargs['copy_files'].assert_called_once_with(
-            '$I/Product Packaging/app-entitlements.plist',
-            '$W/app-entitlements.plist')
+        self.assertEqual(3, kwargs['copy_files'].call_count)
+        kwargs['copy_files'].assert_has_calls([
+            mock.call('$I/Product Packaging/app-entitlements.plist',
+                      '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist')
+        ])
         kwargs['write_file'].assert_called_once_with(
             '$W/App Product.app/Contents/PkgInfo', 'APPLMooo')
         self.assertEqual(0, kwargs['move_file'].call_count)
@@ -177,9 +209,15 @@ def test_distribution_with_brand_and_channel(self, plistlib, **kwargs):
             '$W/App Product.app/Contents/Info.plist',
         )
 
-        kwargs['copy_files'].assert_called_once_with(
-            '$I/Product Packaging/app-entitlements.plist',
-            '$W/app-entitlements.plist')
+        self.assertEqual(3, kwargs['copy_files'].call_count)
+        kwargs['copy_files'].assert_has_calls([
+            mock.call('$I/Product Packaging/app-entitlements.plist',
+                      '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist')
+        ])
         self.assertEqual(0, kwargs['move_file'].call_count)
         self.assertEqual(0, kwargs['write_file'].call_count)
 
@@ -210,10 +248,14 @@ def test_customize_channel(self, plistlib, **kwargs):
             ),
         ])
 
-        self.assertEqual(3, kwargs['copy_files'].call_count)
+        self.assertEqual(5, kwargs['copy_files'].call_count)
         kwargs['copy_files'].assert_has_calls([
             mock.call('$I/Product Packaging/app-entitlements.plist',
                       '$W/app-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-renderer-entitlements.plist',
+                      '$W/helper-renderer-entitlements.plist'),
+            mock.call('$I/Product Packaging/helper-plugin-entitlements.plist',
+                      '$W/helper-plugin-entitlements.plist'),
             mock.call('$I/Product Packaging/app_canary.icns',
                       '$W/App Product Canary.app/Contents/Resources/app.icns'),
             mock.call(
@@ -223,7 +265,7 @@ def test_customize_channel(self, plistlib, **kwargs):
         kwargs['write_file'].assert_called_once_with(
             '$W/App Product Canary.app/Contents/PkgInfo', 'APPLMooo')
 
-        self.assertEqual(4, plistlib.writePlist.call_count)
+        self.assertEqual(6, plistlib.writePlist.call_count)
         plistlib.writePlist.assert_has_calls([
             mock.call({
                 'CFBundleIdentifier':
@@ -243,6 +285,8 @@ def test_customize_channel(self, plistlib, **kwargs):
                 'com.apple.application-identifier':
                     'test.signing.bundle_id.canary'
             }, '$W/app-entitlements.plist'),
+            mock.call({}, '$W/helper-renderer-entitlements.plist'),
+            mock.call({}, '$W/helper-plugin-entitlements.plist'),
             mock.call({
                 'pfm_domain': 'test.signing.bundle_id.canary'
             }, '$W/App Product Canary.app/Contents/Resources/test.signing.bundle_id.canary.manifest/Contents/Resources/test.signing.bundle_id.canary.manifest'

chrome/installer/mac/signing/signing.py

@@ -81,13 +81,15 @@ def get_parts(config):
                 .format(config),
                 '{}.helper.renderer'.format(uncustomized_bundle_id),
                 options=CodeSignOptions.RESTRICT,
+                entitlements='helper-renderer-entitlements.plist',
                 verify_options=VerifyOptions.DEEP),
         'helper-plugin-app':
             CodeSignedProduct(
                 '{0.framework_dir}/Helpers/{0.product} Helper (Plugin).app'
                 .format(config),
                 '{}.helper.plugin'.format(uncustomized_bundle_id),
                 options=CodeSignOptions.RESTRICT,
+                entitlements='helper-plugin-entitlements.plist',
                 verify_options=VerifyOptions.DEEP),
         'app-mode-app':
             CodeSignedProduct(