From 37cc5831f6f2e8f8398c1304c60f5ae4be027f37 Mon Sep 17 00:00:00 2001 From: Aleksey Kliger Date: Thu, 1 Apr 2021 21:33:05 -0400 Subject: [PATCH 1/5] [catalyst] Add jit entitlements to AppleAppBuilder to use the JIT on MacCatalyst we need the hardened runtime and the JIT entitlement. Otherwise mmap() with a MAP_JIT argument fails with EINVAL. --- .../Templates/CMakeLists.txt.template | 15 +++++++++++++++ .../Templates/app.entitlements.template | 8 ++++++++ src/tasks/AppleAppBuilder/Templates/runtime.m | 4 ++-- src/tasks/AppleAppBuilder/Xcode.cs | 17 ++++++++++++++++- 4 files changed, 41 insertions(+), 3 deletions(-) create mode 100644 src/tasks/AppleAppBuilder/Templates/app.entitlements.template diff --git a/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template b/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template index 7fea422c6b4e2..c26ce044422d6 100644 --- a/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template +++ b/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template @@ -31,6 +31,21 @@ set_target_properties(%ProjectName% PROPERTIES RESOURCE "${APP_RESOURCES}" ) +set(HARDENED_RUNTIME +%HardenedRuntime% +) + +set(HARDENED_RUNTIME_USE_JIT +%HardenedRuntimeUseJit% +) + +if("${HARDENED_RUNTIME}") + set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_HARDENED_RUNTIME "YES") + if("${HARDENED_RUNTIME_USE_JIT}") + set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "app.entitlements") + endif() +endif() + # FIXME: `XCODE_ATTRIBUTE_DEAD_CODE_STRIPPING` should not be NO target_link_libraries( diff --git a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template new file mode 100644 index 0000000000000..b82971a78d4f1 --- /dev/null +++ b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template @@ -0,0 +1,8 @@ + + + + + com.apple.security.cs.allow-jit + + + \ No newline at end of file diff --git a/src/tasks/AppleAppBuilder/Templates/runtime.m b/src/tasks/AppleAppBuilder/Templates/runtime.m index ef8bdbd4dfce5..17c8be6ff0463 100644 --- a/src/tasks/AppleAppBuilder/Templates/runtime.m +++ b/src/tasks/AppleAppBuilder/Templates/runtime.m @@ -246,14 +246,14 @@ const char *appctx_keys [] = { "RUNTIME_IDENTIFIER", "APP_CONTEXT_BASE_DIRECTORY", -#ifndef INVARIANT_GLOBALIZATION +#if !defined(INVARIANT_GLOBALIZATION) && !TARGET_OS_MACCATALYST "ICU_DAT_FILE_PATH" #endif }; const char *appctx_values [] = { APPLE_RUNTIME_IDENTIFIER, bundle, -#ifndef INVARIANT_GLOBALIZATION +#if !defined(INVARIANT_GLOBALIZATION) && !TARGET_OS_MACCATALYST icu_dat_path #endif }; diff --git a/src/tasks/AppleAppBuilder/Xcode.cs b/src/tasks/AppleAppBuilder/Xcode.cs index dcba5f973e9c2..d71f7a69e5235 100644 --- a/src/tasks/AppleAppBuilder/Xcode.cs +++ b/src/tasks/AppleAppBuilder/Xcode.cs @@ -83,11 +83,20 @@ public string GenerateXCode( } } + bool hardenedRuntime = false; + bool hardenedRuntimeUseJit = false; + if (Target == TargetNames.MacCatalyst && !(forceInterpreter || forceAOT)) { + hardenedRuntime = true; + hardenedRuntimeUseJit = true; + } + string cmakeLists = Utils.GetEmbeddedResource("CMakeLists.txt.template") .Replace("%ProjectName%", projectName) .Replace("%AppResources%", string.Join(Environment.NewLine, resources.Select(r => " " + r))) .Replace("%MainSource%", nativeMainSource) - .Replace("%MonoInclude%", monoInclude); + .Replace("%MonoInclude%", monoInclude) + .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE") + .Replace("%HardenedRuntimeUseJit%", hardenedRuntimeUseJit ? "TRUE" : "FALSE"); string[] dylibs = Directory.GetFiles(workspace, "*.dylib"); @@ -154,6 +163,12 @@ public string GenerateXCode( File.WriteAllText(Path.Combine(binDir, "Info.plist"), plist); File.WriteAllText(Path.Combine(binDir, "CMakeLists.txt"), cmakeLists); + if (hardenedRuntimeUseJit) { + /* FIXME: right now the entitlements template just hardcodes the JIT entitlement. */ + string entitlements = Utils.GetEmbeddedResource("app.entitlements.template"); + File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlements); + } + string targetName; switch (Target) { From b05d74d1db39e9a9b42a29d6b90364ede96020e5 Mon Sep 17 00:00:00 2001 From: Aleksey Kliger Date: Fri, 2 Apr 2021 00:05:28 -0400 Subject: [PATCH 2/5] [catalyst] also add disable library validation entitlement To load libSystem.Native.dylib from the Resources/ directory in the .app bundle. (And possibly to load libicu from homebrew) --- src/tasks/AppleAppBuilder/Templates/app.entitlements.template | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template index b82971a78d4f1..936f126f72782 100644 --- a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template +++ b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template @@ -4,5 +4,7 @@ com.apple.security.cs.allow-jit + com.apple.security.cs.disable-library-validation + - \ No newline at end of file + From 22ffcb05b8ccd48b9fc122e7cacc9fe6ff8b47b8 Mon Sep 17 00:00:00 2001 From: Aleksey Kliger Date: Fri, 2 Apr 2021 11:07:16 -0400 Subject: [PATCH 3/5] [AppleAppBuilder] cleanup entitlements generation a little Use a list in the builder instead of hardcoding in the template. --- .../Templates/CMakeLists.txt.template | 6 ++-- .../Templates/app.entitlements.template | 5 +--- src/tasks/AppleAppBuilder/Xcode.cs | 29 ++++++++++++++----- 3 files changed, 25 insertions(+), 15 deletions(-) diff --git a/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template b/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template index c26ce044422d6..4dcd8b645bb52 100644 --- a/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template +++ b/src/tasks/AppleAppBuilder/Templates/CMakeLists.txt.template @@ -35,13 +35,13 @@ set(HARDENED_RUNTIME %HardenedRuntime% ) -set(HARDENED_RUNTIME_USE_JIT -%HardenedRuntimeUseJit% +set(HARDENED_RUNTIME_USE_ENTITLEMENTS_FILE +%HardenedRuntimeUseEntitlementsFile% ) if("${HARDENED_RUNTIME}") set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_HARDENED_RUNTIME "YES") - if("${HARDENED_RUNTIME_USE_JIT}") + if("${HARDENED_RUNTIME_USE_ENTITLEMENTS_FILE}") set_target_properties(%ProjectName% PROPERTIES XCODE_ATTRIBUTE_CODE_SIGN_ENTITLEMENTS "app.entitlements") endif() endif() diff --git a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template index 936f126f72782..e3737e695acb4 100644 --- a/src/tasks/AppleAppBuilder/Templates/app.entitlements.template +++ b/src/tasks/AppleAppBuilder/Templates/app.entitlements.template @@ -2,9 +2,6 @@ - com.apple.security.cs.allow-jit - - com.apple.security.cs.disable-library-validation - +%Entitlements% diff --git a/src/tasks/AppleAppBuilder/Xcode.cs b/src/tasks/AppleAppBuilder/Xcode.cs index d71f7a69e5235..442eb539af38b 100644 --- a/src/tasks/AppleAppBuilder/Xcode.cs +++ b/src/tasks/AppleAppBuilder/Xcode.cs @@ -83,11 +83,16 @@ public string GenerateXCode( } } + var entitlements = new List>(); + bool hardenedRuntime = false; - bool hardenedRuntimeUseJit = false; if (Target == TargetNames.MacCatalyst && !(forceInterpreter || forceAOT)) { hardenedRuntime = true; - hardenedRuntimeUseJit = true; + + /* for mmmap MAP_JIT */ + entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.allow-jit", "")); + /* for loading unsigned dylibs like libicu from outside the bundle or libSystem.Native.dylib from inside */ + entitlements.Add (KeyValuePair.Create ("com.apple.security.cs.disable-library-validation", "")); } string cmakeLists = Utils.GetEmbeddedResource("CMakeLists.txt.template") @@ -95,8 +100,7 @@ public string GenerateXCode( .Replace("%AppResources%", string.Join(Environment.NewLine, resources.Select(r => " " + r))) .Replace("%MainSource%", nativeMainSource) .Replace("%MonoInclude%", monoInclude) - .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE") - .Replace("%HardenedRuntimeUseJit%", hardenedRuntimeUseJit ? "TRUE" : "FALSE"); + .Replace("%HardenedRuntime%", hardenedRuntime ? "TRUE" : "FALSE"); string[] dylibs = Directory.GetFiles(workspace, "*.dylib"); @@ -161,12 +165,21 @@ public string GenerateXCode( .Replace("%BundleIdentifier%", projectName); File.WriteAllText(Path.Combine(binDir, "Info.plist"), plist); + + var needEntitlements = entitlements.Count != 0; + cmakeLists = cmakeLists.Replace("%HardenedRuntimeUseEntitlementsFile%", + needEntitlements ? "TRUE" : "FALSE"); + File.WriteAllText(Path.Combine(binDir, "CMakeLists.txt"), cmakeLists); - if (hardenedRuntimeUseJit) { - /* FIXME: right now the entitlements template just hardcodes the JIT entitlement. */ - string entitlements = Utils.GetEmbeddedResource("app.entitlements.template"); - File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlements); + if (needEntitlements) { + var ent = new StringBuilder(); + foreach ((var key, var value) in entitlements) { + ent.AppendLine ($"{key}"); + ent.AppendLine (value); + } + string entitlementsTemplate = Utils.GetEmbeddedResource("app.entitlements.template"); + File.WriteAllText(Path.Combine(binDir, "app.entitlements"), entitlementsTemplate.Replace("%Entitlements%", ent.ToString())); } string targetName; From 923910615b8d7b81582cb9543fd25785ae176b59 Mon Sep 17 00:00:00 2001 From: Aleksey Kliger Date: Fri, 2 Apr 2021 15:24:48 -0400 Subject: [PATCH 4/5] [mono] update iOS sample to run on Catalyst too use `make run-catalyst` --- src/mono/sample/iOS/Makefile | 16 ++++++++++++++++ src/mono/sample/iOS/Program.csproj | 20 +++++++++++++++++--- 2 files changed, 33 insertions(+), 3 deletions(-) diff --git a/src/mono/sample/iOS/Makefile b/src/mono/sample/iOS/Makefile index 7d4a6c680fcc1..be7c2bcefe0aa 100644 --- a/src/mono/sample/iOS/Makefile +++ b/src/mono/sample/iOS/Makefile @@ -18,5 +18,21 @@ run: clean appbuilder $(DOTNET) publish -c $(MONO_CONFIG) /p:TargetArchitecture=$(MONO_ARCH) \ /p:UseLLVM=$(USE_LLVM) /p:ForceAOT=$(AOT) +run-sim: clean appbuilder + $(DOTNET) publish -c $(MONO_CONFIG) /p:TargetOS=iOSSimulator /p:TargetArchitecture=$(MONO_ARCH) \ + /p:UseLLVM=$(USE_LLVM) /p:ForceAOT=$(AOT) + +run-catalyst: + $(DOTNET) publish -c $(MONO_CONFIG) /p:TargetOS=MacCatalyst /p:TargetArchitecture=$(MONO_ARCH) \ + /p:UseLLVM=False /p:ForceAOT=False + +run-sim-interp: clean appbuilder + $(DOTNET) publish -c $(MONO_CONFIG) /p:TargetOS=iOSSimulator /p:TargetArchitecture=$(MONO_ARCH) \ + /p:UseLLVM=$(USE_LLVM) /p:ForceAOT=$(AOT) /p:MonoForceInterpreter=true + +run-catalyst-interp: + $(DOTNET) publish -c $(MONO_CONFIG) /p:TargetOS=MacCatalyst /p:TargetArchitecture=$(MONO_ARCH) \ + /p:UseLLVM=False /p:ForceAOT=False /p:MonoForceInterpreter=true + clean: rm -rf bin diff --git a/src/mono/sample/iOS/Program.csproj b/src/mono/sample/iOS/Program.csproj index 56f3124b3865c..770b67cba6d86 100644 --- a/src/mono/sample/iOS/Program.csproj +++ b/src/mono/sample/iOS/Program.csproj @@ -8,11 +8,20 @@ $(ArtifactsBinDir)microsoft.netcore.app.runtime.$(TargetOS.ToLower())-$(TargetArchitecture)\$(Configuration)\runtimes\$(TargetOS.ToLower())-$(TargetArchitecture)\ false $(TargetOS.ToLower())-$(TargetArchitecture) - true - Link $(DefineConstants);CI_TEST + + + + + + + + + - + + @@ -35,7 +44,7 @@ $(MSBuildThisFileDirectory)$(PublishDir)\app iPhone 11 True - true + true @@ -83,11 +92,16 @@ + + + + + Date: Fri, 2 Apr 2021 16:50:34 -0400 Subject: [PATCH 5/5] fix typos and address feedback --- src/mono/sample/iOS/Program.csproj | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/mono/sample/iOS/Program.csproj b/src/mono/sample/iOS/Program.csproj index 770b67cba6d86..580d61cf70fb9 100644 --- a/src/mono/sample/iOS/Program.csproj +++ b/src/mono/sample/iOS/Program.csproj @@ -12,13 +12,12 @@ - + - -