[RFA-Darwin]: Add an info key in darwin executable

[RFA-Darwin]: Add an info key in darwin executable

[Tristan Gingold]

Hi,

special authorizations are required to run gdb on Darwin.  Making gdb  
setgid procmod is required for Tiger
but later OS versions may need code signature.  Signing an executable  
requires keys info in the binary.
This patch adds these keys.

I think we should let the user or the system administrator signing the  
executable by itself as we can't
create and publish a certificate.

Tristan.


2009-10-05  Tristan Gingold  <gingold@adacore.com>

	* darwin-nat.c: Add __TEXT __info_plist content.
	(darwin_attach_pid): Update error message.

diff --git a/gdb/darwin-nat.c b/gdb/darwin-nat.c
index 237c465..daa9df9 100644
--- a/gdb/darwin-nat.c
+++ b/gdb/darwin-nat.c
@@ -147,6 +147,34 @@ static struct inferior *darwin_inf_fake_stop;
  /* This controls output of inferior debugging.  */
  static int darwin_debug_flag = 0;

+/* Create a __TEXT __info_plist section in the executable so that gdb  
could
+   be signed.  This is required to get an authorization for  
task_for_pid.
+
+   Once gdb is built, you can either:
+   * make it setgid procmod
+   * or codesign it with any system-trusted signing authority.
+   See taskgated(8) for details.  */
+static const unsigned char info_plist[]
+__attribute__ ((section ("__TEXT,__info_plist"),used)) =
+  "<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n"
+  "<!DOCTYPE plist PUBLIC \"-//Apple Computer//DTD PLIST 1.0//EN\""
+  " \"http://www.apple.com/DTDs/PropertyList-1.0.dtd\">\n"
+  "<plist version=\"1.0\">\n"
+  "<dict>\n"
+  "  <key>CFBundleIdentifier</key>\n"
+  "  <string>org.gnu.gdb</string>\n"
+  "  <key>CFBundleName</key>\n"
+  "  <string>gdb</string>\n"
+  "  <key>CFBundleVersion</key>\n"
+  "  <string>1.0</string>\n"
+  "  <key>SecTaskAccess</key>\n"
+  "  <array>\n"
+  "    <string>allowed</string>\n"
+  "    <string>debug</string>\n"
+  "  </array>\n"
+  "</dict>\n"
+  "</plist>\n";
+
  static void
  inferior_debug (int level, const char *fmt, ...)
  {
@@ -1323,7 +1351,7 @@ darwin_attach_pid (struct inferior *inf)
  	}

        error (_("Unable to find Mach task port for process-id %d: %s  
(0x%lx).\n"
-	       " (please check gdb is setgid procmod)"),
+	       " (please check gdb is codesigned - see taskgated(8))"),
               inf->pid, mach_error_string (kret), (unsigned long)  
kret);
      }

Re: [RFA-Darwin]: Add an info key in darwin executable

[Joel Brobecker]

> 2009-10-05  Tristan Gingold  <gingold@adacore.com>
>
> 	* darwin-nat.c: Add __TEXT __info_plist content.
> 	(darwin_attach_pid): Update error message.

This looks fine to me. It looks safe for the 7.0 branch as well.
What do you think?

-- 
Joel

Re: [RFA-Darwin]: Add an info key in darwin executable

[Paul Pluzhnikov]

On Mon, Oct 5, 2009 at 5:22 AM, Tristan Gingold <gingold@adacore.com> wrote:

> I think we should let the user or the system administrator signing the
> executable by itself as we can't create and publish a certificate.

I have tried and failed to find info on just how to do such signing :-(

Would you mind writing instructions somewhere in GDB wiki,
and reference that page here:

> -              " (please check gdb is setgid procmod)"),
> +              " (please check gdb is codesigned - see taskgated(8))"),

I am afraid "man taskgated" didn't do it for me :-(

Thanks,
-- 
Paul Pluzhnikov

Re: [RFA-Darwin]: Add an info key in darwin executable

[Tristan Gingold]

On Oct 6, 2009, at 6:18 AM, Paul Pluzhnikov wrote:

> On Mon, Oct 5, 2009 at 5:22 AM, Tristan Gingold  
> <gingold@adacore.com> wrote:
>
>> I think we should let the user or the system administrator signing  
>> the
>> executable by itself as we can't create and publish a certificate.
>
> I have tried and failed to find info on just how to do such  
> signing :-(
>
> Would you mind writing instructions somewhere in GDB wiki,
> and reference that page here:

I added a wiki page:

http://sourceware.org/gdb/wiki/BuildingOnDarwin

Feel free to improve it!

Re: [RFA-Darwin]: Add an info key in darwin executable

[Tristan Gingold]

On Oct 5, 2009, at 7:29 PM, Joel Brobecker wrote:

>> 2009-10-05  Tristan Gingold  <gingold@adacore.com>
>>
>> 	* darwin-nat.c: Add __TEXT __info_plist content.
>> 	(darwin_attach_pid): Update error message.
>
> This looks fine to me. It looks safe for the 7.0 branch as well.
> What do you think?

Yes, this is definitely safe.

Re: [RFA-Darwin]: Add an info key in darwin executable

[Joel Brobecker]

>>> 2009-10-05  Tristan Gingold  <gingold@adacore.com>
>>>
>>> 	* darwin-nat.c: Add __TEXT __info_plist content.
>>> 	(darwin_attach_pid): Update error message.
>>
>> This looks fine to me. It looks safe for the 7.0 branch as well.
>> What do you think?
>
> Yes, this is definitely safe.

Great. I checked that change in the 7.0 branch after you checked it in HEAD.

-- 
Joel