tools: add debug entitlements for macOS 10.15+

[ggreco]

To debug native modules node should be a debuggable process, from MacOS 10.15, Catalina, that will require the com.apple.security.get-task-allow entitlement to be added to the codesign process.

Fixes: #34340

Checklist

• [X ] make -j4 test (UNIX), or vcbuild test (Windows) passes
• [X ] commit message follows commit guidelines

By making a contribution to this project, I certify that:

The contribution was created in whole or in part by me and I have the right to submit it under the open source license indicated in the file

[richardlau]

cc @nodejs/platform-macos

[addaleax]

ping @nodejs/collaborators (since the macos platform team might be a bit small)

[rvagg]

This entitlement facilitates debugging on a system that uses System Integrity Protection (SIP) by circumventing certain security checks.

So get-task-allow I believe allows debuggers to attach to the process, but obviously that activates a bunch of interesting security vectors that Apple would rather avoid for the most part. I think that notarization would fail for this unless we weren't already doing disable-library-validation which enables whole different class of security vectors through plugin loading.

@ggreco can you confirm that macOS still has issues with node binaries from the darwin tarball and not just the .pkg installer? If it's possible for us to recommend that anyone needing a debugger should just get the tarball and use that then I think I'd rather err on the side of not adding this, but if our binaries are blocked regardless then I guess asking people to compile their own from source is probably not a great solution.

The challenge we have is that node is bundled in a lot of other downstream products, so the choices we make wrt liberal entitlements have flow-on effects for those products and introduce potential security vulnerabilities that may otherwise be stopped by the stricter macOS entitlements management system. The more of these entitlements we add, the closer we get to just turning it off entirely (which we're already pretty close to!).

[ggreco]

Yes, the tarball has the same problem as the .pkg.

IMHO the fact that node already allows unsigned libraries is a far bigger security risk than allowing a debugger to attach the process.

I'm quite sure that at the moment you can do the notarization also with security.get-task-allow.

IMHO when you bundle node inside an application, for the appstore or also for custom distribution (simple notarization) you will have to resign everything, including the node binary, so that is not an issue.

[ggreco]

Apple made a specific exception for cases like node (plugin debugging):

https://developer.apple.com/documentation/xcode/notarizing_macos_software_before_distribution/resolving_common_notarization_issues

Note

To enable debugging a plug-in in the context of a host executable, the host can include the com.apple.security.get-task-allow entitlement if it also includes the Disable Library Validation Entitlement. Don’t disable library validation for executables that don’t host plug-ins because library validation protects them from loading untrusted code.

[rvagg]

IMHO when you bundle node inside an application, for the appstore or also for custom distribution (simple notarization) you will have to resign everything, including the node binary, so that is not an issue.

You can just bundle our signed binaries in your thing and sign anything else that's unsigned. A security conscious upstream bundler might want to resign our binaries with more restricted entitlements. I'm just a little doubtful that there will be many who even understand this though. It's really on us to be as restrictive as practical .. which unfortunately isn't very restrictive!

@nodejs/security this might be a something for you to at least be aware of and have the opportunity to object to: we're already being very liberal with our entitlements for the new macOS Gatekeeper. We're already asking for almost everything, including the ability to load unsigned plugins (Node addons). This one adds get-task to allow attaching to the process by an arbitrary secondary process, meant for debugging. Without it, debuggers are either difficult or impossible (I'm not sure how you work around this with Gatekeeper, there's probably a way to turn it off somewhere deep in the bowels of the OS). I don't know if we have too many options here if we want macOS users to be able to attach with an external debugger on Catalina onward.

[rvagg]

Test build for someone to verify the darwin tarball and .pkg works as expected on Catalina: https://nodejs.org/download/test/v15.0.0-test20200721954cff688d/

[rvagg]

fine .. pending verification that test build works as expected

[mhdawson]

LGTM, as I think we have to support debuggers.

[ggreco]

fine .. pending verification that test build works as expected

debugging works as intended

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/32703/

[mcollina]

lgtm

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/32704/

[lpinca]

Landed in b0e4970.

[clarkttfu]

Will this be merged into v12 branch?

[BethGriggs]

@clarkttfu, I think it should be. I've added the lts-watch-v12.x label to indicate that it should be considered for the next v12.x release.

/cc @nodejs/lts

[rvagg]

+1 to backporting