Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding entitlement for unsigned memory execution #909

Merged
merged 1 commit into from
Feb 1, 2020
Merged

Adding entitlement for unsigned memory execution #909

merged 1 commit into from
Feb 1, 2020

Conversation

jonsmorrow
Copy link
Contributor

Description

ffi loads c code into memory in an unsigned way and this allows workstation
to work with the hardened runtime.

Signed-off-by: Jon Morrow jmorrow@chef.io

Related Issue

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Chore (non-breaking change that does not add functionality or fix an issue)

Checklist:

  • I have read the CONTRIBUTING document.
  • I have run the pre-merge tests locally and they pass.
  • I have updated the documentation accordingly.
  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • All commits have been signed-off for the Developer Certificate of Origin.

@jonsmorrow jonsmorrow requested review from a team as code owners February 1, 2020 06:43
@jonsmorrow jonsmorrow mentioned this pull request Feb 1, 2020
Merged
@jonsmorrow
Copy link
Contributor Author

Ad-hoc build to test: https://buildkite.com/chef/chef-chef-workstation-master-omnibus-adhoc/builds/195#f6ea77d0-48e1-4cd3-86cb-76939dd76a37

Adding entitlement for unsigned memory execution
bdeb285 
ffi loads c code into memory in an unsigned way and this allows workstation
to work with the hardened runtime.

Signed-off-by: Jon Morrow <jmorrow@chef.io>
@jonsmorrow
Copy link
Contributor Author

Updated to point to omnibus master now that that has merged. Here is a new ad-hoc build:
https://buildkite.com/chef/chef-chef-workstation-master-omnibus-adhoc/builds/196#da902d7e-a20c-4079-ab7c-10b788e660a1

afiune
afiune approved these changes Feb 1, 2020
View reviewed changes
omnibus/resources/chef-workstation/pkg/entitlements.plist
<key>com.apple.security.cs.allow-unsigned-executable-memory</key>
<true/>
</dict>
</plist>
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure if this file needs a new line

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think it's required, but from a style perspective maybe we should. I'm going to merge without and we'll figure it out.

@jonsmorrow
Copy link
Contributor Author

The verify step is hanging waiting on an agent. After discussing with @afiune this should be safe to ignore so I am going to merge this pr and get a build out in current that resolves the gatekeeper issues.

@jonsmorrow jonsmorrow merged commit 8951f8b into master Feb 1, 2020
@chef-expeditor chef-expeditor bot deleted the jm/add_entitlement branch February 1, 2020 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tas50 tas50 tas50 approved these changes

@afiune afiune afiune approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jonsmorrow @tas50 @afiune