[AppleAppBuilder] cleanup entitlements generation a little

Use a list in the builder instead of hardcoding in the template.

src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template

@@ -35,13 +35,13 @@ set(HARDENED_RUNTIME
 %HardenedRuntime%
 )
 
-set(HARDENED_RUNTIME_USE_JIT
-%HardenedRuntimeUseJit%
+set(HARDENED_RUNTIME_USE_ENTITLEMENTS_FILE
+%HardenedRuntimeUseEntitlementsFile%
 )
 
 if("${HARDENED_RUNTIME}")
   set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_HARDENED_RUNTIME "YES")
-  if("${HARDENED_RUNTIME_USE_JIT}")
+  if("${HARDENED_RUNTIME_USE_ENTITLEMENTS_FILE}")
     set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "app.entitlements")
   endif()
 endif()

src/tasks/AppleAppBuilder/Templates/app.entitlements.template

@@ -2,9 +2,6 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-        <key>com.apple.security.cs.allow-jit</key>
-        <true/>
-	<key>com.apple.security.cs.disable-library-validation</key>
-	<true/>
+%Entitlements%
 </dict>
 </plist>

src/tasks/AppleAppBuilder/Xcode.cs

@@ -83,20 +83,24 @@ public Xcode(string target, string arch)
             }
         }
 
+        var entitlements = new List<KeyValuePair<string, string>>();
+
         bool hardenedRuntime = false;
-        bool hardenedRuntimeUseJit = false;
         if (Target == TargetNames.MacCatalyst && !(forceInterpreter || forceAOT)) {
             hardenedRuntime = true;
-            hardenedRuntimeUseJit = true;
+
+            /* for mmmap MAP_JIT */
+            entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.allow-jit", "<true/>"));
+            /* for loading unsigned dylibs like libicu from outside the bundle or libSystem.Native.dylib from inside */
+            entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.disable-library-validation", "<true/>"));
         }
 
         string cmakeLists = Utils.GetEmbeddedResource("CMakeLists.txt.template")
             .Replace("%ProjectName%", projectName)
             .Replace("%AppResources%", string.Join(Environment.NewLine, resources.Select(r => "    " + r)))
             .Replace("%MainSource%", nativeMainSource)
             .Replace("%MonoInclude%", monoInclude)
-            .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE")
-            .Replace("%HardenedRuntimeUseJit%", hardenedRuntimeUseJit ? "TRUE" : "FALSE");
+            .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE");
 
 
         string[] dylibs = Directory.GetFiles(workspace, "*.dylib");
@@ -161,12 +165,21 @@ public Xcode(string target, string arch)
             .Replace("%BundleIdentifier%", projectName);
 
         File.WriteAllText(Path.Combine(binDir, "Info.plist"), plist);
+
+        var needEntitlements = entitlements.Count != 0;
+        cmakeLists = cmakeLists.Replace("%HardenedRuntimeUseEntitlementsFile%",
+                                        needEntitlements ? "TRUE" : "FALSE");
+
         File.WriteAllText(Path.Combine(binDir, "CMakeLists.txt"), cmakeLists);
 
-        if (hardenedRuntimeUseJit) {
-            /* FIXME: right now the entitlements template just hardcodes the JIT entitlement. */
-            string entitlements = Utils.GetEmbeddedResource("app.entitlements.template");
-            File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlements);
+        if (needEntitlements) {
+            var ent = new StringBuilder();
+            foreach ((var key, var value) in entitlements) {
+                ent.AppendLine ($"<key>{key}</key>");
+                ent.AppendLine (value);
+            }
+            string entitlementsTemplate = Utils.GetEmbeddedResource("app.entitlements.template");
+            File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlementsTemplate.Replace("%Entitlements%", ent.ToString()));
         }
 
         string targetName;