VPN-7142: Directly install daemon for macOS<13 (#10662) (#10664)

oskirby · web-flow · commit b6b0cffce4c9 · 2025-07-18T14:06:23.000-07:00
* Fix double-free in macOS 11/12 XPC auth check
* Install the daemon directly instead of using a helper script
* Generate codesign for wireguard-go
* Add Logger support for CFErrorRef
* Fix wireguard-go path lookup on macOS &lt; 13
* Enforce codesign on wireguard-go
* Verify that wireguard-go was signed by the same common name
diff --git a/macos/pkg/scripts/postinstall.in b/macos/pkg/scripts/postinstall.in
@@ -79,27 +79,8 @@ fi
 # of the SMAppService interface.
 if [ ${OSX_MAJOR_VER} -lt 13 ]; then
   echo "Installing privileged helper tool"
-  if [ ! -d /Library/PrivilegedHelperTools ]; then
-    mkdir -m 755 /Library/PrivilegedHelperTools
-    chown root:wheel /Library/PrivilegedHelperTools
-  fi
-  touch $DAEMON_HELPER_TOOL
-  chown root:wheel $DAEMON_HELPER_TOOL
-  chmod 744 $DAEMON_HELPER_TOOL
-  cat << EOF > $DAEMON_HELPER_TOOL
-#!/usr/bin/env bash
-CODESIGN_REQS="anchor apple generic and identifier ${CODESIGN_APP_IDENTIFIER}"
-CODESIGN_REQS+=" and certificate 1[field.${APPLE_OID_EXT_CA_INTERMEDIATE}] /* exists */"
-CODESIGN_REQS+=" and certificate leaf[field.${APPLE_OID_EXT_APP_CODESIGNING}] /* exists */"
-CODESIGN_REQS+=" and certificate leaf[subject.OU] = \"${CODESIGN_TEAM_IDENTIFIER}\""
-if ! codesign -v --verbose=4 -R="\${CODESIGN_REQS}" "${APP_DIR}"; then
-  echo "Codesign failed! Aborting."
-  exit 1
-fi
-
-"${APP_DIR}/Contents/Library/LaunchServices/${CODESIGN_APP_IDENTIFIER}.daemon" "\$@"
-EOF
-  chmod u-w $DAEMON_HELPER_TOOL
+  install -d -m 755 -o root -g wheel /Library/PrivilegedHelperTools
+  install "${APP_DIR}/Contents/Library/LaunchServices/${CODESIGN_APP_IDENTIFIER}.daemon" /Library/PrivilegedHelperTools
 
   # Modify the SMAppService plist for use as a legacy daemon.
   echo "Loading the Daemon at $DAEMON_PLIST_PATH"
diff --git a/src/cmake/macos.cmake b/src/cmake/macos.cmake
@@ -129,6 +129,7 @@ else()
     )
 endif()
 add_dependencies(mozillavpn build_wireguard_go)
+osx_codesign_target(build_wireguard_go FILES ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go)
 osx_bundle_files(mozillavpn
     FILES ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go
     DESTINATION Resources/utils
diff --git a/src/platforms/macos/daemon/wireguardutilsmacos.cpp b/src/platforms/macos/daemon/wireguardutilsmacos.cpp
@@ -4,14 +4,20 @@
 
 #include "wireguardutilsmacos.h"
 
+#include <Security/SecCertificate.h>
+#include <Security/SecRequirement.h>
+#include <Security/SecStaticCode.h>
+#include <Security/SecTask.h>
 #include <errno.h>
 #include <net/route.h>
 
 #include <QByteArray>
 #include <QDir>
 #include <QFile>
 #include <QLocalSocket>
+#include <QSysInfo>
 #include <QTimer>
+#include <QVersionNumber>
 
 #include "leakdetector.h"
 #include "logger.h"
@@ -65,6 +71,144 @@ void WireguardUtilsMacos::tunnelFinished(int exitCode,
   }
 }
 
+// static
+QString WireguardUtilsMacos::wireguardGoPath() {
+  QString osVersion = QSysInfo::productVersion();
+  if (QVersionNumber::fromString(osVersion) >= QVersionNumber(13, 0)) {
+    // For macOS 13 and later this can be a relative path to the daemon.
+    QDir appPath(QCoreApplication::applicationDirPath());
+    appPath.cdUp();
+    appPath.cdUp();
+    appPath.cd("Resources");
+    appPath.cd("utils");
+    return appPath.filePath("wireguard-go");
+  }
+
+  // For earlier versions of macOS - this must be a fixed path
+  return "/Applications/Mozilla VPN.app/Contents/Resources/utils/wireguard-go";
+}
+
+// static
+QString WireguardUtilsMacos::wireguardGoRequirements() {
+  static QString requirements;
+  if (!requirements.isEmpty()) {
+    return requirements;
+  }
+
+  OSStatus status = errSecSuccess;
+  SecCodeRef code = nullptr;
+  CFDictionaryRef dict = nullptr;
+  auto guard = qScopeGuard([&]() {
+    if (status != errSecSuccess) {
+      CFStringRef msg = SecCopyErrorMessageString(status, nullptr);
+      logger.warning() << "Requirements failed:" << msg;
+      CFRelease(msg);
+    }
+    CFRelease(code);
+    CFRelease(dict);
+  });
+
+  status = SecCodeCopySelf(kSecCSDefaultFlags, &code);
+  if (status != errSecSuccess) {
+    return QString();
+  }
+  status = SecCodeCopySigningInformation(code, kSecCSSigningInformation, &dict);
+  if (status != errSecSuccess) {
+    return QString();
+  }
+
+  // Build the signing requirements.
+  QStringList reqList("anchor apple generic");
+  CFTypeRef value;
+  value = CFDictionaryGetValue(dict, kSecCodeInfoTeamIdentifier);
+  if ((value != nullptr) && (CFGetTypeID(value) == CFStringGetTypeID())) {
+    QString team = QString::fromCFString(static_cast<CFStringRef>(value));
+    reqList << QString("certificate leaf[subject.OU] = \"%1\"").arg(team);
+  }
+
+  value = CFDictionaryGetValue(dict, kSecCodeInfoCertificates);
+  if ((value != nullptr) && (CFGetTypeID(value) == CFArrayGetTypeID()) &&
+      (CFArrayGetCount(static_cast<CFArrayRef>(value)) != 0)) {
+    CFTypeRef leaf = CFArrayGetValueAtIndex(static_cast<CFArrayRef>(value), 0);
+    if ((leaf != nullptr) && (CFGetTypeID(leaf) == SecCertificateGetTypeID())) {
+      CFStringRef name;
+      QString nameReqTemplate = "certificate leaf[subject.CN] = \"%1\"";
+      SecCertificateCopyCommonName((SecCertificateRef)leaf, &name);
+      reqList << nameReqTemplate.arg(QString::fromCFString(name));
+      CFRelease(name);
+    }
+  }
+
+  requirements = reqList.join(" and ");
+  return requirements;
+}
+
+// static
+bool WireguardUtilsMacos::wireguardGoCodesign(const QProcess& process) {
+  // No need to verify the codesign on macOS >= 13.0 as the daemon is running
+  // as a part of the bundle, so we ought to get codesign verification for free
+  QString osVersion = QSysInfo::productVersion();
+  if (QVersionNumber::fromString(osVersion) >= QVersionNumber(13, 0)) {
+    return true;
+  }
+
+  QString requirements = wireguardGoRequirements();
+  if (requirements.isEmpty()) {
+    // If the daemon is not signed, then we shouldn't expect wireguard-go to be.
+    return true;
+  }
+
+  OSStatus status = errSecSuccess;
+  CFErrorRef err = nullptr;
+  CFURLRef url = nullptr;
+  SecRequirementRef req = nullptr;
+  SecStaticCodeRef code = nullptr;
+  auto guard = qScopeGuard([&]() {
+    if (err != nullptr) {
+      logger.warning() << "Codesign failed:" << err;
+      CFRelease(err);
+    } else if (status != errSecSuccess) {
+      CFStringRef msg = SecCopyErrorMessageString(status, nullptr);
+      logger.warning() << "Codesign failed:" << msg;
+      CFRelease(msg);
+    }
+    CFRelease(url);
+    CFRelease(req);
+    CFRelease(code);
+  });
+
+  // Get the URL to the QProcess's program
+  CFStringRef urlString = process.program().toCFString();
+  url = CFURLCreateWithFileSystemPath(kCFAllocatorDefault, urlString,
+                                      kCFURLPOSIXPathStyle, false);
+  CFRelease(urlString);
+  if (!url) {
+    logger.warning() << "Unable to generate URL for" << process.program();
+    return false;
+  }
+  logger.debug() << "Codesign verifying:" << CFURLGetString(url);
+  logger.debug() << "Codesign requirements:" << requirements;
+
+  // Prepare the codesign requirements.
+  CFStringRef reqString = requirements.toCFString();
+  status = SecRequirementCreateWithString(reqString, kSecCSDefaultFlags, &req);
+  CFRelease(reqString);
+  if (status != errSecSuccess) {
+    return false;
+  }
+
+  // Validate the codesign.
+  logger.debug() << "Codesign get code object";
+  status = SecStaticCodeCreateWithPath(url, kSecCSDefaultFlags, &code);
+  if (status != errSecSuccess) {
+    return false;
+  }
+  logger.debug() << "Codesign verify code object";
+  status =
+      SecStaticCodeCheckValidityWithErrors(code, kSecCSDefaultFlags, req, &err);
+  return (status == errSecSuccess);
+}
+
 bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
   Q_UNUSED(config);
   if (m_tunnel.state() != QProcess::NotRunning) {
@@ -84,14 +228,14 @@ bool WireguardUtilsMacos::addInterface(const InterfaceConfig& config) {
   pe.insert("LOG_LEVEL", "debug");
 #endif
   m_tunnel.setProcessEnvironment(pe);
+  m_tunnel.setProgram(wireguardGoPath());
+  m_tunnel.setArguments(QStringList({"-f", "utun"}));
+  if (!wireguardGoCodesign(m_tunnel)) {
+    logger.error() << "Unable to validate tunnel process code signature";
+    return false;
+  }
 
-  QDir appPath(QCoreApplication::applicationDirPath());
-  appPath.cdUp();
-  appPath.cdUp();
-  appPath.cd("Resources");
-  appPath.cd("utils");
-  QStringList wgArgs = {"-f", "utun"};
-  m_tunnel.start(appPath.filePath("wireguard-go"), wgArgs);
+  m_tunnel.start();
   if (!m_tunnel.waitForStarted(WG_TUN_PROC_TIMEOUT)) {
     logger.error() << "Unable to start tunnel process due to timeout";
     m_tunnel.kill();
diff --git a/src/platforms/macos/daemon/wireguardutilsmacos.h b/src/platforms/macos/daemon/wireguardutilsmacos.h
@@ -42,6 +42,9 @@ class WireguardUtilsMacos final : public WireguardUtils {
   QString uapiCommand(const QString& command);
   static int uapiErrno(const QString& command);
   QString waitForTunnelName(const QString& filename);
+  static QString wireguardGoPath();
+  static bool wireguardGoCodesign(const QProcess& process);
+  static QString wireguardGoRequirements();
 
   QString m_ifname;
   QProcess m_tunnel;
diff --git a/src/platforms/macos/daemon/xpcdaemonserver.mm b/src/platforms/macos/daemon/xpcdaemonserver.mm
@@ -141,7 +141,6 @@ + (NSString*) getTeamIdentifier:(SecTaskRef)task {
     CFRelease(error);
     return nil;
   }
-  auto guard = qScopeGuard([&]() { CFRelease(result); });
 
   if (CFGetTypeID(result) == CFStringGetTypeID()) {
     return static_cast<NSString*>(result);
diff --git a/src/platforms/macos/macoscryptosettings.mm b/src/platforms/macos/macoscryptosettings.mm
@@ -156,9 +156,7 @@
   CFErrorRef error = nullptr;
   CFTypeRef result = SecTaskCopyValueForEntitlement(task, cfName, &error);
   if (error != nullptr) {
-    CFStringRef desc = CFErrorCopyDescription(error);
-    logger.error() << "Failed to check entitlements:" << desc;
-    CFRelease(desc);
+    logger.error() << "Failed to check entitlements:" << error;
     CFRelease(error);
   }
   if (result != nullptr) {
diff --git a/src/utils/logger.cpp b/src/utils/logger.cpp
@@ -63,6 +63,12 @@ Logger::Log& Logger::Log::operator<<(CFStringRef t) {
   m_data->m_ts << QString::fromCFString(t);
   return *this;
 }
+Logger::Log& Logger::Log::operator<<(CFErrorRef t) {
+  CFStringRef ref = CFErrorCopyDescription(t);
+  m_data->m_ts << QString::fromCFString(ref);
+  CFRelease(ref);
+  return *this;
+}
 #endif
 
 QString Logger::sensitive(const QString& input) {
diff --git a/src/utils/logger.h b/src/utils/logger.h
@@ -12,6 +12,10 @@
 
 #include "loglevel.h"
 
+#ifdef Q_OS_APPLE
+#  include <CoreFoundation/CoreFoundation.h>
+#endif
+
 class QJsonObject;
 
 class Logger {
@@ -36,6 +40,7 @@ class Logger {
 #ifdef Q_OS_APPLE
     Log& operator<<(const NSString* t);
     Log& operator<<(CFStringRef t);
+    Log& operator<<(CFErrorRef t);
 #endif
 
     // Q_ENUM

Original file line number	Diff line number	Diff line change
`@@ -129,6 +129,7 @@ else()`
`129`	`129`	`)`
`130`	`130`	`endif()`
`131`	`131`	`add_dependencies(mozillavpn build_wireguard_go)`
	`132`	`+osx_codesign_target(build_wireguard_go FILES ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go)`
`132`	`133`	`osx_bundle_files(mozillavpn`
`133`	`134`	`FILES ${CMAKE_CURRENT_BINARY_DIR}/wireguard-go`
`134`	`135`	`DESTINATION Resources/utils`
Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,6 @@ + (NSString*) getTeamIdentifier:(SecTaskRef)task {`
`141`	`141`	`CFRelease(error);`
`142`	`142`	`return nil;`
`143`	`143`	`}`
`144`		`- auto guard = qScopeGuard([&]() { CFRelease(result); });`
`145`	`144`
`146`	`145`	`if (CFGetTypeID(result) == CFStringGetTypeID()) {`
`147`	`146`	`return static_cast<NSString*>(result);`