-
Notifications
You must be signed in to change notification settings - Fork 28.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
build: use separate entitlements for different macOS helper executables #94728
Conversation
Strange that access to capabilities without the right entitlements leads to a crash. 🤔 Is this an Apple design decision? @connor4312 Why do we want to enable @deepak1556 Feel free to refactor the build to add different entitlements to the different processes. |
Just read microsoft/vscode-js-debug#400. So strange that it is VS Code that needs the entitlements... not Chrome. 🤔 |
In their API reference for Process, they mention that this is intentional:
An alternative workaround might be to embed an XPC service that launches Chrome inside of the js-debug extension, but that seems like it would be complex. |
a0968c8
to
55fd124
Compare
59a7f93
to
8f92c67
Compare
Per the Chromium issue, it seems that there's a workaround we can apply on the js-debug side. I will investigate within the next couple days and follow up here. |
Thanks @connor4312 ! that seems to be a more appropriate solution for the js-debug issue. I am changing the PR to just refactor the entitlements applied. |
8f92c67
to
697c241
Compare
Following up in the Chrome thread, I think we can close this. They seem amenable to a solution, and we can use port-based debugging instead of pipe-based debugging on OSX as a near-term workaround if necessary. |
Thanks @connor4312 , I am keep this PR open for refactoring the entitlements, which will be useful once we sandbox the renderer #92164. |
For review the entitlements are based on https://source.chromium.org/chromium/chromium/src/+/master:chrome/app/helper-gpu-entitlements.plist But for our renderer we have other entitlements apart from the |
697c241
to
277aba5
Compare
277aba5
to
7a945f7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Given the build runs fine, this LGTM! 🚀
We currently bundle a single entitlement file for all the helper executables on macOS, currently we have
Code Helper (Renderer)
,Code Helper (GPU)
,Code Helper (Plugin)
andCode Helper
, this is not good from a security perspective, whatever we shipped so far was not an issue but once we have sandboxed renderer we would limit the capabilities of the renderer helper.