-
Notifications
You must be signed in to change notification settings - Fork 30k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tools: add debug entitlements for macOS 10.15+ #34378
Conversation
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. Fixes: nodejs#34340 nodejs#34340
cc @nodejs/platform-macos |
ping @nodejs/collaborators (since the macos platform team might be a bit small) |
So @ggreco can you confirm that macOS still has issues with The challenge we have is that |
Yes, the tarball has the same problem as the .pkg. IMHO the fact that node already allows unsigned libraries is a far bigger security risk than allowing a debugger to attach the process. I'm quite sure that at the moment you can do the notarization also with security.get-task-allow. IMHO when you bundle node inside an application, for the appstore or also for custom distribution (simple notarization) you will have to resign everything, including the node binary, so that is not an issue. |
Apple made a specific exception for cases like node (plugin debugging): Note To enable debugging a plug-in in the context of a host executable, the host can include the com.apple.security.get-task-allow entitlement if it also includes the Disable Library Validation Entitlement. Don’t disable library validation for executables that don’t host plug-ins because library validation protects them from loading untrusted code. |
You can just bundle our signed binaries in your thing and sign anything else that's unsigned. A security conscious upstream bundler might want to resign our binaries with more restricted entitlements. I'm just a little doubtful that there will be many who even understand this though. It's really on us to be as restrictive as practical .. which unfortunately isn't very restrictive! @nodejs/security this might be a something for you to at least be aware of and have the opportunity to object to: we're already being very liberal with our entitlements for the new macOS Gatekeeper. We're already asking for almost everything, including the ability to load unsigned plugins (Node addons). This one adds get-task to allow attaching to the process by an arbitrary secondary process, meant for debugging. Without it, debuggers are either difficult or impossible (I'm not sure how you work around this with Gatekeeper, there's probably a way to turn it off somewhere deep in the bowels of the OS). I don't know if we have too many options here if we want macOS users to be able to attach with an external debugger on Catalina onward. |
Test build for someone to verify the darwin tarball and .pkg works as expected on Catalina: https://nodejs.org/download/test/v15.0.0-test20200721954cff688d/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fine .. pending verification that test build works as expected
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM, as I think we have to support debuggers.
debugging works as intended |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. PR-URL: #34378 Fixes: #34340 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Landed in b0e4970. |
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. PR-URL: #34378 Fixes: #34340 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. PR-URL: #34378 Fixes: #34340 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
Notable changes: - build: set --v8-enable-object-print by default (Mary Marchini) [#34705](#34705) - deps: - upgrade to libuv 1.39.0 (cjihrig) [#34915](#34915) - upgrade npm to 6.14.8 (Ruy Adorno) [#34834](#34834) - V8: cherry-pick e06ace6b5cdb (Anna Henningsen) [#34673](#34673) - n-api: handle weak no-finalizer refs correctly (Gabriel Schulhof) [#34839](#34839) - tools: add debug entitlements for macOS 10.15+ (Gabriele Greco) [#34378](#34378) PR-URL: #34852
Will this be merged into v12 branch? |
@clarkttfu, I think it should be. I've added the /cc @nodejs/lts |
+1 to backporting |
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. PR-URL: #34378 Fixes: #34340 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. PR-URL: #34378 Fixes: #34340 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
To debug native modules node should be a debuggable process, that will require the **com.apple.security.get-task-allow** entitlement to be added to the codesign procedure. PR-URL: #34378 Fixes: #34340 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Evan Lucas <evanlucas@me.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
To debug native modules node should be a debuggable process, from MacOS 10.15, Catalina, that will require the com.apple.security.get-task-allow entitlement to be added to the codesign process.
Fixes: #34340
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passesBy making a contribution to this project, I certify that:
The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file