macos: Update our macOS entitlements #639
Conversation
apyrgio
force-pushed
the
2023-12-entitlements
branch
2 times, most recently
from
890f1ae to
2f1fbd3
Compare
|
This PR is blocked because the suggested entitlements break mounting files in the container. This will have to wait until we resolve #625, in which case, we will pass files via the container's standard streams. |
almet
force-pushed
the
2023-12-entitlements
branch
from
2f1fbd3 to
5d779a2
Compare
|
Now that #625 has been merged in main, I've rebased this on top. |
almet
dismissed
deeplow’s stale review
Relaxing Deeplow from his dangerzone duties :-)
|
Just tested this PR once more. I'm afraid that the recently merged on-host conversion PR does not solve this issue. I've encountered the following issues: Accessing the Docker socketOpening the GUI app shows the following error message:
Note that there's indeed no Unix Domain socket there. When I attempt to specify it via the
Accessing files from the Dangerzone CLIPointing the user@macos ~ % /Applications/Dangerzone.app/Contents/MacOS/dangerzone-cli dangerzone/tests/test_docs/sample-pdf.pdf
Input file not found: make sure you typed it correctly.
user@macos ~ % ls dangerzone/tests/test_docs/sample-pdf.pdf
dangerzone/tests/test_docs/sample-pdf.pdfMy understanding is that sandboxed apps cannot read any file in the host, but instead have to open a browser window, and let the user choose the file on their own. See: https://developer.apple.com/documentation/security/accessing-files-from-the-macos-app-sandbox |
|
One question I had while looking into this is, what's the deal with Docker Desktop? How can the Docker CLI access the Unix Domain Socket of the Docker server? Turns out that two things happen. First, Docker is not a sandboxed app, as we can see from the missing entitlement in the output below: user@macos ~ % codesign -d --entitlements - /Applications/Docker.app/Contents/MacOS/Docker\ Desktop.app/Contents/MacOS/Docker\ Desktop
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] 9BNSXJN65R.com.docker.docker
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] group.com.docker
[Key] com.apple.security.cs.allow-jit
[Value]
[Bool] true
[Key] com.apple.security.cs.allow-unsigned-executable-memory
[Value]
[Bool] trueSecond, the Docker CLI belongs in the same application group as Docker Desktop ( user@macos ~ % codesign -d --entitlements - /usr/local/bin/docker
[Dict]
[Key] com.apple.application-identifier
[Value]
[String] 9BNSXJN65R.com.docker.docker
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] group.com.docker |
Remove some macOS entitlements that are not necessary for the current iteration of Dangerzone. Those are the ability to run as a hypervisor, and the ability to accept network connections. They are a relic from when we were experimenting with VMs, instead of relying on Docker Desktop.
apyrgio
force-pushed
the
2023-12-entitlements
branch
from
5d779a2 to
f524207
Compare
|
Still, even though we can't go full app sandbox here, it doesn't mean that we can't ditch some older entitlements that are no longer used. I have updated this PR to remove some that I found, and tested that the resulting .dmg works on macOS. |
Our entitlements were last updated when Dangerzone was considering using HyperKit to spawn VMs (9158d02, on 2021-06-30). Now that we use Docker Desktop, we can make them stricter.
Fixes #638