mac: Drop JIT entitlement from the proxy resolver process

This was originally attempted in
a8a9ff46, but PartitionAlloc
unconditionally supplied MAP_JIT to mmap() if it was allocating pages
for V8, even though V8 was running in --jitless mode.  Because MAP_JIT
can only be used from a process that has the allow-jit entitlement, this
resulted in the process crashing due to a code signing validation error.

Instead of unconditionally supplying MAP_JIT, PartitionAlloc now will
only do so if the process has the allow-jit entitlement.

Test: Configured a Proxy PAC file, did local signing of Chromium,
  verified that the proxy resolver utility process does not crash.

Bug: 961592, 1052853
Change-Id: Icd1c2db42c208272f36c7d4c0fc1c1c3c6a3520f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2078792Reviewed-by: David Benjamin <davidben@chromium.org>
Reviewed-by: Chris Palmer <palmer@chromium.org>
Commit-Queue: Robert Sesek <rsesek@chromium.org>
Cr-Commit-Position: refs/heads/master@{#745188}

base/allocator/partition_allocator/page_allocator_internals_posix.h

@@ -12,8 +12,11 @@
 #include "build/build_config.h"
 
 #if defined(OS_MACOSX)
+#include "base/mac/foundation_util.h"
 #include "base/mac/mac_util.h"
+#include "base/mac/scoped_cftyperef.h"
 
+#include <Security/Security.h>
 #include <mach/mach.h>
 #endif
 #if defined(OS_ANDROID)
@@ -33,8 +36,9 @@
 
 namespace base {
 
-#if defined(OS_ANDROID)
 namespace {
+
+#if defined(OS_ANDROID)
 const char* PageTagToName(PageTag tag) {
   // Important: All the names should be string literals. As per prctl.h in
   // //third_party/android_ndk the kernel keeps a pointer to the name instead
@@ -56,9 +60,28 @@ const char* PageTagToName(PageTag tag) {
       return "";
   }
 }
-}  // namespace
 #endif  // defined(OS_ANDROID)
 
+#if defined(OS_MACOSX)
+// Tests whether the version of macOS supports the MAP_JIT flag and if the
+// current process is signed with the allow-jit entitlement.
+bool UseMapJit() {
+  if (!mac::IsAtLeastOS10_14())
+    return false;
+
+  ScopedCFTypeRef<SecTaskRef> task(SecTaskCreateFromSelf(kCFAllocatorDefault));
+  ScopedCFTypeRef<CFErrorRef> error;
+  ScopedCFTypeRef<CFTypeRef> value(SecTaskCopyValueForEntitlement(
+      task.get(), CFSTR("com.apple.security.cs.allow-jit"),
+      error.InitializeInto()));
+  if (error)
+    return false;
+  return mac::CFCast<CFBooleanRef>(value.get()) == kCFBooleanTrue;
+}
+#endif  // defined(OS_MACOSX)
+
+}  // namespace
+
 // |mmap| uses a nearby address if the hint address is blocked.
 constexpr bool kHintIsAdvisory = true;
 std::atomic<int32_t> s_allocPageErrorCode{0};
@@ -104,8 +127,8 @@ void* SystemAllocPagesInternal(void* hint,
   // "runtime" option cannot execute writable memory by default. They can opt
   // into this capability by specifying the "com.apple.security.cs.allow-jit"
   // code signing entitlement and allocating the region with the MAP_JIT flag.
-  static const bool kNeedMapJIT = mac::IsAtLeastOS10_14();
-  if (page_tag == PageTag::kV8 && kNeedMapJIT) {
+  static const bool kUseMapJit = UseMapJit();
+  if (page_tag == PageTag::kV8 && kUseMapJit) {
     map_flags |= MAP_JIT;
   }
 #endif

chrome/browser/net/chrome_mojo_proxy_resolver_factory.cc

@@ -46,13 +46,6 @@ proxy_resolver::mojom::ProxyResolverFactory* GetProxyResolverFactory() {
     content::ServiceProcessHost::Launch(
         remote->BindNewPipeAndPassReceiver(),
         content::ServiceProcessHost::Options()
-#if defined(OS_MACOSX)
-            // The proxy_resolver service runs V8, so it needs to run in the
-            // helper application that has the com.apple.security.cs.allow-jit
-            // code signing entitlement, which is CHILD_RENDERER. The service
-            // still runs under the utility process sandbox.
-            .WithChildFlags(content::ChildProcessHost::CHILD_RENDERER)
-#endif
             .WithDisplayName(IDS_PROXY_RESOLVER_DISPLAY_NAME)
 #if defined(OS_WIN)
             .WithSandboxType(service_manager::SandboxType::kProxyResolver)