From cc55c8db898f098361173e8058f8aef6e6372a55 Mon Sep 17 00:00:00 2001
From: Dave Page <dpage@pgadmin.org>
Date: Wed, 5 Oct 2022 12:36:53 +0100
Subject: [PATCH] Tighten up macOS entitlements, and add comments explaining.

Note that this re-enables executable page protection, which was disabled for unknown reasons.
---
 pkg/mac/entitlements.plist.in | 53 ++++++++++++++++++++++++++++++++++-
 1 file changed, 52 insertions(+), 1 deletion(-)

diff --git a/pkg/mac/entitlements.plist.in b/pkg/mac/entitlements.plist.in
index b244af228..03958c4ae 100644
--- a/pkg/mac/entitlements.plist.in
+++ b/pkg/mac/entitlements.plist.in
@@ -2,11 +2,62 @@
 <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
 <plist version="1.0">
 <dict>
+    <!--
+        Disable Sandboxing. This must be enabled for the app store, but it will
+        cause NWjs to fail to start with an error like:
+
+            [1004/170922.238911:ERROR:directory_reader_posix.cc(42)] opendir /dev/fd: Operation not permitted (1)
+
+        We should figure out why that happens and fix it one day, but for now
+        we just don't support the app store.
+    -->
     <key>com.apple.security.app-sandbox</key>
     <false/>
+
+    <!--
+        Set the app group name for IPC and access to shared containers between
+        our processes.
+    -->
     <key>com.apple.security.application-groups</key>
     <string>%TEAMID%.org.pgadmin.pgadmin4</string>
+
+    <!--
+        We have no need for JIT.
+    -->
+    <key>com.apple.security.cs.allow-jit</key>
+    <false/>
+
+    <!--
+        Explicitly disallow executable code overwriting/patching.
+    -->
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
+    <false/>
+
+    <!--
+        Explicitly disallow use of dynamic loader environment variables that
+        could be used for code injection.
+    -->
+    <key>com.apple.security.cs.allow-dyld-environment-variables</key>
+    <false/>
+
+    <!--
+        Explicitly ensure that library validation is enabled so we only load
+        libraries and frameworks signed by us or Apple.
+    -->
+    <key>com.apple.security.cs.disable-library-validation</key>
+    <false/>
+
+    <!--
+        Ensure we can't modify our own executables.
+    -->
     <key>com.apple.security.cs.disable-executable-page-protection</key>
-    <true/>
+    <false/>
+
+    <!--
+        We're not a debugger (well, except for procedural languages in Postgres,
+        but that doesn't count).
+    -->
+    <key>com.apple.security.cs.debugger</key>
+    <false/>
 </dict>
 </plist>
\ No newline at end of file