Message ID | 20240723085902.98572-1-philmd@linaro.org (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
Series | [RFC] macos: Allow coredump generation | expand |
This can certainly be useful in various situations! However, wholesale enabling get-task-allow will enable other processes on the system to inject code, connect a debugger, etc. to the Qemu process. Normally, this is only something you'd enable for builds that are specifically intended for debugging. I'm not sure users running Qemu in production environments will necessarily appreciate this - do we perhaps want to gate this behind a build configuration flag? (Related: Would it perhaps make more sense to dynamically generate/preprocess the entitlements file based on configuration flags than have a bunch of variants of the file? You'll end up with a combinatorial explosion sooner or later - I'm also thinking of com.apple.vm.networking and com.apple.vm.device-access which we can't enable by default because they require Apple to grant the entitlement but which currently require patching if you have those entitlements.) What do you think? Phil On Tue, 23 Jul 2024 at 10:59, Philippe Mathieu-Daudé <philmd@linaro.org> wrote: > QEMU is allowed to generate coredump on other POSIX OSes, > bring that functionality to macOS. Admin users still need > to enable the kern.coredump sysctl manually running: > > % sudo sysctl kern.coredump=1 > > the normal users have to enable their shell running: > > % ulimit -c unlimited > > Reference used: > > https://nasa.github.io/trick/howto_guides/How-to-dump-core-file-on-MacOS.html > > Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> > --- > Cc: Alexander Graf <agraf@csgraf.de> > Cc: Akihiko Odaki <akihiko.odaki@daynix.com> > Cc: Peter Maydell <peter.maydell@linaro.org> > Cc: Phil Dennis-Jordan <phil@philjordan.eu> > Cc: Roman Bolshakov <roman@roolebo.dev> > Cc: Paolo Bonzini <pbonzini@redhat.com> > Cc: Francesco Cagnin <fcagnin@quarkslab.com> > --- > MAINTAINERS | 2 ++ > meson.build | 6 ++++-- > accel/hvf/entitlements.plist | 2 ++ > accel/tcg/entitlements.plist | 8 ++++++++ > 4 files changed, 16 insertions(+), 2 deletions(-) > create mode 100644 accel/tcg/entitlements.plist > > diff --git a/MAINTAINERS b/MAINTAINERS > index d5ff6c2498e..c6f57d77b19 100644 > --- a/MAINTAINERS > +++ b/MAINTAINERS > @@ -611,6 +611,8 @@ M: Philippe Mathieu-Daudé <philmd@linaro.org> > S: Odd Fixes > F: .gitlab-ci.d/cirrus/macos-* > F: */*.m > +F: accel/tcg/entitlements.plist > +F: accel/hvf/entitlements.plist > F: scripts/entitlement.sh > > Alpha Machines > diff --git a/meson.build b/meson.build > index a1e51277b09..aae35e93420 100644 > --- a/meson.build > +++ b/meson.build > @@ -3983,9 +3983,11 @@ foreach target : target_dirs > ] > if 'CONFIG_HVF' in config_target > entitlements = 'accel/hvf/entitlements.plist' > - build_input += files(entitlements) > - install_input += meson.current_source_dir() / entitlements > + else > + entitlements = 'accel/tcg/entitlements.plist' > endif > + build_input += files(entitlements) > + install_input += meson.current_source_dir() / entitlements > > emulators += {exe['name'] : custom_target(exe['name'], > input: build_input, > diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist > index 154f3308ef2..af4bb45dbea 100644 > --- a/accel/hvf/entitlements.plist > +++ b/accel/hvf/entitlements.plist > @@ -4,5 +4,7 @@ > <dict> > <key>com.apple.security.hypervisor</key> > <true/> > + <key>com.apple.security.get-task-allow</key> > + <true/> > </dict> > </plist> > diff --git a/accel/tcg/entitlements.plist b/accel/tcg/entitlements.plist > new file mode 100644 > index 00000000000..9acd12816c9 > --- /dev/null > +++ b/accel/tcg/entitlements.plist > @@ -0,0 +1,8 @@ > +<?xml version="1.0" encoding="UTF-8"?> > +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" " > http://www.apple.com/DTDs/PropertyList-1.0.dtd"> > +<plist version="1.0"> > +<dict> > + <key>com.apple.security.get-task-allow</key> > + <true/> > +</dict> > +</plist> > -- > 2.41.0 > >
On 2024/07/23 18:09, Phil Dennis-Jordan wrote: > This can certainly be useful in various situations! However, wholesale > enabling get-task-allow will enable other processes on the system to > inject code, connect a debugger, etc. to the Qemu process. Normally, > this is only something you'd enable for builds that are specifically > intended for debugging. I'm not sure users running Qemu in production > environments will necessarily appreciate this - do we perhaps want to > gate this behind a build configuration flag? Yes, it is useful but shouldn't be enabled by default for a non-debug build. > > (Related: Would it perhaps make more sense to dynamically > generate/preprocess the entitlements file based on configuration flags > than have a bunch of variants of the file? You'll end up with a > combinatorial explosion sooner or later - I'm also thinking of > com.apple.vm.networking and com.apple.vm.device-access which we can't > enable by default because they require Apple to grant the entitlement > but which currently require patching if you have those entitlements.) I agree. It's better to generate a plist. > > What do you think? > > Phil > > > On Tue, 23 Jul 2024 at 10:59, Philippe Mathieu-Daudé <philmd@linaro.org > <mailto:philmd@linaro.org>> wrote: > > QEMU is allowed to generate coredump on other POSIX OSes, > bring that functionality to macOS. Admin users still need > to enable the kern.coredump sysctl manually running: > > % sudo sysctl kern.coredump=1 > > the normal users have to enable their shell running: > > % ulimit -c unlimited > > Reference used: > https://nasa.github.io/trick/howto_guides/How-to-dump-core-file-on-MacOS.html <https://nasa.github.io/trick/howto_guides/How-to-dump-core-file-on-MacOS.html> It is better to note the implication of adding com.apple.security.get-task-allow in the commit message. Regards, Akihiko Odaki
diff --git a/MAINTAINERS b/MAINTAINERS index d5ff6c2498e..c6f57d77b19 100644 --- a/MAINTAINERS +++ b/MAINTAINERS @@ -611,6 +611,8 @@ M: Philippe Mathieu-Daudé <philmd@linaro.org> S: Odd Fixes F: .gitlab-ci.d/cirrus/macos-* F: */*.m +F: accel/tcg/entitlements.plist +F: accel/hvf/entitlements.plist F: scripts/entitlement.sh Alpha Machines diff --git a/meson.build b/meson.build index a1e51277b09..aae35e93420 100644 --- a/meson.build +++ b/meson.build @@ -3983,9 +3983,11 @@ foreach target : target_dirs ] if 'CONFIG_HVF' in config_target entitlements = 'accel/hvf/entitlements.plist' - build_input += files(entitlements) - install_input += meson.current_source_dir() / entitlements + else + entitlements = 'accel/tcg/entitlements.plist' endif + build_input += files(entitlements) + install_input += meson.current_source_dir() / entitlements emulators += {exe['name'] : custom_target(exe['name'], input: build_input, diff --git a/accel/hvf/entitlements.plist b/accel/hvf/entitlements.plist index 154f3308ef2..af4bb45dbea 100644 --- a/accel/hvf/entitlements.plist +++ b/accel/hvf/entitlements.plist @@ -4,5 +4,7 @@ <dict> <key>com.apple.security.hypervisor</key> <true/> + <key>com.apple.security.get-task-allow</key> + <true/> </dict> </plist> diff --git a/accel/tcg/entitlements.plist b/accel/tcg/entitlements.plist new file mode 100644 index 00000000000..9acd12816c9 --- /dev/null +++ b/accel/tcg/entitlements.plist @@ -0,0 +1,8 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> +<plist version="1.0"> +<dict> + <key>com.apple.security.get-task-allow</key> + <true/> +</dict> +</plist>
QEMU is allowed to generate coredump on other POSIX OSes, bring that functionality to macOS. Admin users still need to enable the kern.coredump sysctl manually running: % sudo sysctl kern.coredump=1 the normal users have to enable their shell running: % ulimit -c unlimited Reference used: https://nasa.github.io/trick/howto_guides/How-to-dump-core-file-on-MacOS.html Signed-off-by: Philippe Mathieu-Daudé <philmd@linaro.org> --- Cc: Alexander Graf <agraf@csgraf.de> Cc: Akihiko Odaki <akihiko.odaki@daynix.com> Cc: Peter Maydell <peter.maydell@linaro.org> Cc: Phil Dennis-Jordan <phil@philjordan.eu> Cc: Roman Bolshakov <roman@roolebo.dev> Cc: Paolo Bonzini <pbonzini@redhat.com> Cc: Francesco Cagnin <fcagnin@quarkslab.com> --- MAINTAINERS | 2 ++ meson.build | 6 ++++-- accel/hvf/entitlements.plist | 2 ++ accel/tcg/entitlements.plist | 8 ++++++++ 4 files changed, 16 insertions(+), 2 deletions(-) create mode 100644 accel/tcg/entitlements.plist