build: use separate entitlements for different macOS helper executables

[deepak1556]

We currently bundle a single entitlement file for all the helper executables on macOS, currently we have Code Helper (Renderer) , Code Helper (GPU), Code Helper (Plugin) and Code Helper, this is not good from a security perspective, whatever we shipped so far was not an issue but once we have sandboxed renderer we would limit the capabilities of the renderer helper.

[joaomoreno]

Strange that access to capabilities without the right entitlements leads to a crash. 🤔 Is this an Apple design decision?

@connor4312 Why do we want to enable getUserMedia() in VS Code?

@deepak1556 Feel free to refactor the build to add different entitlements to the different processes.

[joaomoreno]

@connor4312 Why do we want to enable getUserMedia() in VS Code?

Just read microsoft/vscode-js-debug#400. So strange that it is VS Code that needs the entitlements... not Chrome. 🤔

[connor4312]

In their API reference for Process, they mention that this is intentional:

In a sandboxed application, child processes created with the Process class inherit the sandbox of the parent app. You should generally write helper applications as XPC Services instead, because XPC Services allows you to specify different sandbox entitlements for helper apps

An alternative workaround might be to embed an XPC service that launches Chrome inside of the js-debug extension, but that seems like it would be complex.

[connor4312]

Per the Chromium issue, it seems that there's a workaround we can apply on the js-debug side. I will investigate within the next couple days and follow up here.

[deepak1556]

Thanks @connor4312 ! that seems to be a more appropriate solution for the js-debug issue.

I am changing the PR to just refactor the entitlements applied.

[connor4312]

Following up in the Chrome thread, I think we can close this. They seem amenable to a solution, and we can use port-based debugging instead of pipe-based debugging on OSX as a near-term workaround if necessary.

[deepak1556]

Thanks @connor4312 , I am keep this PR open for refactoring the entitlements, which will be useful once we sandbox the renderer #92164.

[deepak1556]

For review the entitlements are based on https://source.chromium.org/chromium/chromium/src/+/master:chrome/app/helper-gpu-entitlements.plist
https://source.chromium.org/chromium/chromium/src/+/master:chrome/app/helper-plugin-entitlements.plist
https://source.chromium.org/chromium/chromium/src/+/master:chrome/app/helper-renderer-entitlements.plist

But for our renderer we have other entitlements apart from the jit entitlement because of node integration.

[joaomoreno]

Given the build runs fine, this LGTM! 🚀