Delete build/mac/change_mach_o_flags.py and friends.

build/mac/change_mach_o_flags.py

-#!/usr/bin/env python
-# Copyright (c) 2011 The Chromium Authors. All rights reserved.
-# Use of this source code is governed by a BSD-style license that can be
-# found in the LICENSE file.
-
-"""Usage: change_mach_o_flags.py [--executable-heap] [--no-pie] <executablepath>
-
-Arranges for the executable at |executable_path| to have its data (heap)
-pages protected to prevent execution on Mac OS X 10.7 ("Lion"), and to have
-the PIE (position independent executable) bit set to enable ASLR (address
-space layout randomization). With --executable-heap or --no-pie, the
-respective bits are cleared instead of set, making the heap executable or
-disabling PIE/ASLR.
-
-This script is able to operate on thin (single-architecture) Mach-O files
-and fat (universal, multi-architecture) files. When operating on fat files,
-it will set or clear the bits for each architecture contained therein.
-
-NON-EXECUTABLE HEAP
-
-Traditionally in Mac OS X, 32-bit processes did not have data pages set to
-prohibit execution. Although user programs could call mprotect and
-mach_vm_protect to deny execution of code in data pages, the kernel would
-silently ignore such requests without updating the page tables, and the
-hardware would happily execute code on such pages. 64-bit processes were
-always given proper hardware protection of data pages. This behavior was
-controllable on a system-wide level via the vm.allow_data_exec sysctl, which
-is set by default to 1. The bit with value 1 (set by default) allows code
-execution on data pages for 32-bit processes, and the bit with value 2
-(clear by default) does the same for 64-bit processes.
-
-In Mac OS X 10.7, executables can "opt in" to having hardware protection
-against code execution on data pages applied. This is done by setting a new
-bit in the |flags| field of an executable's |mach_header|. When
-MH_NO_HEAP_EXECUTION is set, proper protections will be applied, regardless
-of the setting of vm.allow_data_exec. See xnu-1699.22.73/osfmk/vm/vm_map.c
-override_nx and xnu-1699.22.73/bsd/kern/mach_loader.c load_machfile.
-
-The Apple toolchain has been revised to set the MH_NO_HEAP_EXECUTION when
-producing executables, provided that -allow_heap_execute is not specified
-at link time. Only linkers shipping with Xcode 4.0 and later (ld64-123.2 and
-later) have this ability. See ld64-123.2.1/src/ld/Options.cpp
-Options::reconfigureDefaults() and
-ld64-123.2.1/src/ld/HeaderAndLoadCommands.hpp
-HeaderAndLoadCommandsAtom<A>::flags().
-
-This script sets the MH_NO_HEAP_EXECUTION bit on Mach-O executables. It is
-intended for use with executables produced by a linker that predates Apple's
-modifications to set this bit itself. It is also useful for setting this bit
-for non-i386 executables, including x86_64 executables. Apple's linker only

[Nico, 2016/04/12 20:10:50]

I'm confused by this comment. The first paragraph says "64-bit executables
always have hardware protection", but then this says "this script is useful for
toggling this bit for 64-bit executables".

In a test binary, the bit isn't set by default at least:

thakis-macpro:src thakis$ xxd a.out | head -2
0000000: cffa edfe 0700 0001 0300 0080 0200 0000  ................
0000010: 0e00 0000 2803 0000 8500 2000 0000 0000  ....(..... .....

The framework does have this bit:

thakis-macpro:src thakis$ xxd /Applications/Google\
Chrome.app/Contents/Versions/49.0.2623.87/Google\ Chrome\
Framework.framework/Google\ Chrome\ Framework | head -2
0000000: cffa edfe 0700 0001 0300 0000 0600 0000  ................
0000010: 2f00 0000 6819 0000 8580 1100 0000 0000  /...h...........

So the CL presumably makes the MH_NO_HEAP_EXECUTION bit disappear. Is that
intentional? If so, is the reasoning that this shouldn'e effectively change
behavior?

[Robert Sesek, 2016/04/12 21:05:50]

The comment is correct but a little confusing. By default 64-bit apps get NX
data and stack, but an executable can force NX by setting the
MH_NO_HEAP_EXECUTION bit, since it is possible to override the architecture
default using sysctl. On i386 only, ld has a flag -allow_heap_execute that can
be used to inhibit the MH_NO_HEAP_EXECUTION bit when linking. This comment in
XNU at override_nx() is maybe a little more clear:
http://opensource.apple.com//source/xnu/xnu-3248.20.55/osfmk/vm/vm_map.c. You
can also verify the current state of NX:

rsesek@hotwire:/Users/rsesek % sysctl vm.allow_data_exec
vm.allow_data_exec: 1
rsesek@hotwire:/Users/rsesek % sysctl vm.allow_stack_exec
vm.allow_stack_exec: 0

Where 0x1 is VM_ABI_32 and 0x2 is VM_ABI_64 (from vm_map.h).

So it is true that we are losing the forceful MH_NO_HEAP_EXECUTION bit and
relying on the 64-bit architecture default for NX (that a user could override if
they were crazy). But for stock installs, this shouldn't have any effect on the
NX behavior.

Mark may have an opinion on this, so I can let this wait till tomorrow.
The framework does not have the bit. Compare without this change:

rsesek@hotwire:/Volumes/Build/src(remotes/origin/HEAD) % otool -hv
out/Release/Chromium.app/Contents/MacOS/Chromium
out/Release/Chromium.app/Contents/MacOS/Chromium:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    21       2336   NOUNDEFS
DYLDLINK TWOLEVEL PIE MH_NO_HEAP_EXECUTION

rsesek@hotwire:/Volumes/Build/src(remotes/origin/HEAD) % otool -vh
out/Release/Chromium.app/Contents/Versions/52.0.2707.0/Chromium\
Framework.framework/Chromium\ Framework
out/Release/Chromium.app/Contents/Versions/52.0.2707.0/Chromium
Framework.framework/Chromium Framework:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64  X86_64        ALL  0x00       DYLIB    46       6408   NOUNDEFS
DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK NO_REEXPORTED_DYLIBS

Versus with this change:

rsesek@hotwire:/Volumes/Build/src(change-macho-flags) % otool -hv
out/Release/Chromium.app/Contents/MacOS/Chromium
out/Release/Chromium.app/Contents/MacOS/Chromium:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64  X86_64        ALL LIB64     EXECUTE    21       2336   NOUNDEFS
DYLDLINK TWOLEVEL PIE

rsesek@hotwire:/Volumes/Build/src(change-macho-flags) % otool -vh
out/Release/Chromium.app/Contents/Versions/52.0.2707.0/Chromium\
Framework.framework/Chromium\ Framework
out/Release/Chromium.app/Contents/Versions/52.0.2707.0/Chromium
Framework.framework/Chromium Framework:
Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
MH_MAGIC_64  X86_64        ALL  0x00       DYLIB    46       6408   NOUNDEFS
DYLDLINK TWOLEVEL WEAK_DEFINES BINDS_TO_WEAK NO_REEXPORTED_DYLIBS

-sets it for 32-bit i386 executables, presumably under the assumption that
-the value of vm.allow_data_exec is set in stone. However, if someone were to
-change vm.allow_data_exec to 2 or 3, 64-bit x86_64 executables would run
-without hardware protection against code execution on data pages. This
-script can set the bit for x86_64 executables, guaranteeing that they run
-with appropriate protection even when vm.allow_data_exec has been tampered
-with.
-
-POSITION-INDEPENDENT EXECUTABLES/ADDRESS SPACE LAYOUT RANDOMIZATION
-
-This script sets or clears the MH_PIE bit in an executable's Mach-O header,
-enabling or disabling position independence on Mac OS X 10.5 and later.
-Processes running position-independent executables have varying levels of
-ASLR protection depending on the OS release. The main executable's load
-address, shared library load addresess, and the heap and stack base
-addresses may be randomized. Position-independent executables are produced
-by supplying the -pie flag to the linker (or defeated by supplying -no_pie).
-Executables linked with a deployment target of 10.7 or higher have PIE on
-by default.
-
-This script is never strictly needed during the build to enable PIE, as all
-linkers used are recent enough to support -pie. However, it's used to
-disable the PIE bit as needed on already-linked executables.
-"""
-
-import optparse
-import os
-import struct
-import sys
-
-
-# <mach-o/fat.h>
-FAT_MAGIC = 0xcafebabe
-FAT_CIGAM = 0xbebafeca
-
-# <mach-o/loader.h>
-MH_MAGIC = 0xfeedface
-MH_CIGAM = 0xcefaedfe
-MH_MAGIC_64 = 0xfeedfacf
-MH_CIGAM_64 = 0xcffaedfe
-MH_EXECUTE = 0x2
-MH_PIE = 0x00200000
-MH_NO_HEAP_EXECUTION = 0x01000000
-
-
-class MachOError(Exception):
-  """A class for exceptions thrown by this module."""
-
-  pass
-
-
-def CheckedSeek(file, offset):
-  """Seeks the file-like object at |file| to offset |offset| and raises a
-  MachOError if anything funny happens."""
-
-  file.seek(offset, os.SEEK_SET)
-  new_offset = file.tell()
-  if new_offset != offset:
-    raise MachOError, \
-          'seek: expected offset %d, observed %d' % (offset, new_offset)
-
-
-def CheckedRead(file, count):
-  """Reads |count| bytes from the file-like |file| object, raising a
-  MachOError if any other number of bytes is read."""
-
-  bytes = file.read(count)
-  if len(bytes) != count:
-    raise MachOError, \
-          'read: expected length %d, observed %d' % (count, len(bytes))
-
-  return bytes
-
-
-def ReadUInt32(file, endian):
-  """Reads an unsinged 32-bit integer from the file-like |file| object,
-  treating it as having endianness specified by |endian| (per the |struct|
-  module), and returns it as a number. Raises a MachOError if the proper
-  length of data can't be read from |file|."""
-
-  bytes = CheckedRead(file, 4)
-
-  (uint32,) = struct.unpack(endian + 'I', bytes)
-  return uint32
-
-
-def ReadMachHeader(file, endian):
-  """Reads an entire |mach_header| structure (<mach-o/loader.h>) from the
-  file-like |file| object, treating it as having endianness specified by
-  |endian| (per the |struct| module), and returns a 7-tuple of its members
-  as numbers. Raises a MachOError if the proper length of data can't be read
-  from |file|."""
-
-  bytes = CheckedRead(file, 28)
-
-  magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
-      struct.unpack(endian + '7I', bytes)
-  return magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags
-
-
-def ReadFatArch(file):
-  """Reads an entire |fat_arch| structure (<mach-o/fat.h>) from the file-like
-  |file| object, treating it as having endianness specified by |endian|
-  (per the |struct| module), and returns a 5-tuple of its members as numbers.
-  Raises a MachOError if the proper length of data can't be read from
-  |file|."""
-
-  bytes = CheckedRead(file, 20)
-
-  cputype, cpusubtype, offset, size, align = struct.unpack('>5I', bytes)
-  return cputype, cpusubtype, offset, size, align
-
-
-def WriteUInt32(file, uint32, endian):
-  """Writes |uint32| as an unsinged 32-bit integer to the file-like |file|
-  object, treating it as having endianness specified by |endian| (per the
-  |struct| module)."""
-
-  bytes = struct.pack(endian + 'I', uint32)
-  assert len(bytes) == 4
-
-  file.write(bytes)
-
-
-def HandleMachOFile(file, options, offset=0):
-  """Seeks the file-like |file| object to |offset|, reads its |mach_header|,
-  and rewrites the header's |flags| field if appropriate. The header's
-  endianness is detected. Both 32-bit and 64-bit Mach-O headers are supported
-  (mach_header and mach_header_64). Raises MachOError if used on a header that
-  does not have a known magic number or is not of type MH_EXECUTE. The
-  MH_PIE and MH_NO_HEAP_EXECUTION bits are set or cleared in the |flags| field
-  according to |options| and written to |file| if any changes need to be made.
-  If already set or clear as specified by |options|, nothing is written."""
-
-  CheckedSeek(file, offset)
-  magic = ReadUInt32(file, '<')
-  if magic == MH_MAGIC or magic == MH_MAGIC_64:
-    endian = '<'
-  elif magic == MH_CIGAM or magic == MH_CIGAM_64:
-    endian = '>'
-  else:
-    raise MachOError, \
-          'Mach-O file at offset %d has illusion of magic' % offset
-
-  CheckedSeek(file, offset)
-  magic, cputype, cpusubtype, filetype, ncmds, sizeofcmds, flags = \
-      ReadMachHeader(file, endian)
-  assert magic == MH_MAGIC or magic == MH_MAGIC_64
-  if filetype != MH_EXECUTE:
-    raise MachOError, \
-          'Mach-O file at offset %d is type 0x%x, expected MH_EXECUTE' % \
-              (offset, filetype)
-
-  original_flags = flags
-
-  if options.no_heap_execution:
-    flags |= MH_NO_HEAP_EXECUTION
-  else:
-    flags &= ~MH_NO_HEAP_EXECUTION
-
-  if options.pie:
-    flags |= MH_PIE
-  else:
-    flags &= ~MH_PIE
-
-  if flags != original_flags:
-    CheckedSeek(file, offset + 24)
-    WriteUInt32(file, flags, endian)
-
-
-def HandleFatFile(file, options, fat_offset=0):
-  """Seeks the file-like |file| object to |offset| and loops over its
-  |fat_header| entries, calling HandleMachOFile for each."""
-
-  CheckedSeek(file, fat_offset)
-  magic = ReadUInt32(file, '>')
-  assert magic == FAT_MAGIC
-
-  nfat_arch = ReadUInt32(file, '>')
-
-  for index in xrange(0, nfat_arch):
-    cputype, cpusubtype, offset, size, align = ReadFatArch(file)
-    assert size >= 28
-
-    # HandleMachOFile will seek around. Come back here after calling it, in
-    # case it sought.
-    fat_arch_offset = file.tell()
-    HandleMachOFile(file, options, offset)
-    CheckedSeek(file, fat_arch_offset)
-
-
-def main(me, args):
-  parser = optparse.OptionParser('%prog [options] <executable_path>')
-  parser.add_option('--executable-heap', action='store_false',
-                    dest='no_heap_execution', default=True,
-                    help='Clear the MH_NO_HEAP_EXECUTION bit')
-  parser.add_option('--no-pie', action='store_false',
-                    dest='pie', default=True,
-                    help='Clear the MH_PIE bit')
-  (options, loose_args) = parser.parse_args(args)
-  if len(loose_args) != 1:
-    parser.print_usage()
-    return 1
-
-  executable_path = loose_args[0]
-  executable_file = open(executable_path, 'rb+')
-
-  magic = ReadUInt32(executable_file, '<')
-  if magic == FAT_CIGAM:
-    # Check FAT_CIGAM and not FAT_MAGIC because the read was little-endian.
-    HandleFatFile(executable_file, options)
-  elif magic == MH_MAGIC or magic == MH_CIGAM or \
-      magic == MH_MAGIC_64 or magic == MH_CIGAM_64:
-    HandleMachOFile(executable_file, options)
-  else:
-    raise MachOError, '%s is not a Mach-O or fat file' % executable_file
-
-  executable_file.close()
-  return 0
-
-
-if __name__ == '__main__':
-  sys.exit(main(sys.argv[0], sys.argv[1:]))