From 22ffcb05b8ccd48b9fc122e7cacc9fe6ff8b47b8 Mon Sep 17 00:00:00 2001
From: Aleksey Kliger <alklig@microsoft.com>
Date: Fri, 2 Apr 2021 11:07:16 -0400
Subject: [PATCH] [AppleAppBuilder] cleanup entitlements generation a little

Use a list in the builder instead of hardcoding in the template.
---
 .../Templates/CMakeLists.txt.template         |  6 ++--
 .../Templates/app.entitlements.template       |  5 +---
 src/tasks/AppleAppBuilder/Xcode.cs            | 29 ++++++++++++++-----
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template b/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template
index c26ce044422d6..4dcd8b645bb52 100644
--- a/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template
+++ b/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template
@@ -35,13 +35,13 @@ set(HARDENED_RUNTIME
 %HardenedRuntime%
 )
 
-set(HARDENED_RUNTIME_USE_JIT
-%HardenedRuntimeUseJit%
+set(HARDENED_RUNTIME_USE_ENTITLEMENTS_FILE
+%HardenedRuntimeUseEntitlementsFile%
 )
 
 if("${HARDENED_RUNTIME}")
   set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_HARDENED_RUNTIME "YES")
-  if("${HARDENED_RUNTIME_USE_JIT}")
+  if("${HARDENED_RUNTIME_USE_ENTITLEMENTS_FILE}")
     set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "app.entitlements")
   endif()
 endif()
diff --git a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template
index 936f126f72782..e3737e695acb4 100644
--- a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template
+++ b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template
@@ -2,9 +2,6 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
-        <key>com.apple.security.cs.allow-jit</key>
-        <true/>
-	<key>com.apple.security.cs.disable-library-validation</key>
-	<true/>
+%Entitlements%
 </dict>
 </plist>
diff --git a/src/tasks/AppleAppBuilder/Xcode.cs b/src/tasks/AppleAppBuilder/Xcode.cs
index d71f7a69e5235..442eb539af38b 100644
--- a/src/tasks/AppleAppBuilder/Xcode.cs
+++ b/src/tasks/AppleAppBuilder/Xcode.cs
@@ -83,11 +83,16 @@ public Xcode(string target, string arch)
             }
         }
 
+        var entitlements = new List<KeyValuePair<string, string>>();
+
         bool hardenedRuntime = false;
-        bool hardenedRuntimeUseJit = false;
         if (Target == TargetNames.MacCatalyst && !(forceInterpreter || forceAOT)) {
             hardenedRuntime = true;
-            hardenedRuntimeUseJit = true;
+
+            /* for mmmap MAP_JIT */
+            entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.allow-jit", "<true/>"));
+            /* for loading unsigned dylibs like libicu from outside the bundle or libSystem.Native.dylib from inside */
+            entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.disable-library-validation", "<true/>"));
         }
 
         string cmakeLists = Utils.GetEmbeddedResource("CMakeLists.txt.template")
@@ -95,8 +100,7 @@ public Xcode(string target, string arch)
             .Replace("%AppResources%", string.Join(Environment.NewLine, resources.Select(r => "    " + r)))
             .Replace("%MainSource%", nativeMainSource)
             .Replace("%MonoInclude%", monoInclude)
-            .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE")
-            .Replace("%HardenedRuntimeUseJit%", hardenedRuntimeUseJit ? "TRUE" : "FALSE");
+            .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE");
 
 
         string[] dylibs = Directory.GetFiles(workspace, "*.dylib");
@@ -161,12 +165,21 @@ public Xcode(string target, string arch)
             .Replace("%BundleIdentifier%", projectName);
 
         File.WriteAllText(Path.Combine(binDir, "Info.plist"), plist);
+
+        var needEntitlements = entitlements.Count != 0;
+        cmakeLists = cmakeLists.Replace("%HardenedRuntimeUseEntitlementsFile%",
+                                        needEntitlements ? "TRUE" : "FALSE");
+
         File.WriteAllText(Path.Combine(binDir, "CMakeLists.txt"), cmakeLists);
 
-        if (hardenedRuntimeUseJit) {
-            /* FIXME: right now the entitlements template just hardcodes the JIT entitlement. */
-            string entitlements = Utils.GetEmbeddedResource("app.entitlements.template");
-            File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlements);
+        if (needEntitlements) {
+            var ent = new StringBuilder();
+            foreach ((var key, var value) in entitlements) {
+                ent.AppendLine ($"<key>{key}</key>");
+                ent.AppendLine (value);
+            }
+            string entitlementsTemplate = Utils.GetEmbeddedResource("app.entitlements.template");
+            File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlementsTemplate.Replace("%Entitlements%", ent.ToString()));
         }
 
         string targetName;