Skip to content

Commit 3d03580

Browse files
nglevinluispadron
nglevin
authored and
luispadron
committed
Stand up the "secure_features" attribute for rules with comments, flagged behind "enable_wip_features", with TODOs to explain implementation to come.
As a prerequisite to that work, added support for entitlements to macos_dylib and macos_command_line_application. Cherry-pick: f34a7b8
1 parent 6c983a1 commit 3d03580

14 files changed

Lines changed: 114 additions & 14 deletions

apple/internal/apple_framework_import.bzl

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -413,6 +413,9 @@ apple_dynamic_framework_import = rule(
413413
attrs = dicts.add(
414414
rule_attrs.common_tool_attrs(),
415415
{
416+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
417+
# features are expected to be present in the precompiled framework, so the rules can
418+
# validate against that and set required entitlements if necessary.
416419
"framework_imports": attr.label_list(
417420
allow_empty = False,
418421
allow_files = True,
@@ -482,6 +485,9 @@ apple_static_framework_import = rule(
482485
attrs = dicts.add(
483486
rule_attrs.common_tool_attrs(),
484487
{
488+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
489+
# features are expected to be present in the precompiled framework, so the rules can
490+
# validate against that and set required entitlements if necessary.
485491
"framework_imports": attr.label_list(
486492
allow_empty = False,
487493
allow_files = True,

apple/internal/apple_xcframework_import.bzl

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -753,6 +753,9 @@ objc_library(
753753
attrs = dicts.add(
754754
rule_attrs.common_tool_attrs(),
755755
{
756+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
757+
# features are expected to be present in the precompiled framework, so the rules can
758+
# validate against that and set required entitlements if necessary.
756759
"xcframework_imports": attr.label_list(
757760
allow_empty = False,
758761
allow_files = True,
@@ -826,6 +829,9 @@ objc_library(
826829
attrs = dicts.add(
827830
rule_attrs.common_tool_attrs(),
828831
{
832+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
833+
# features are expected to be present in the precompiled framework, so the rules can
834+
# validate against that and set required entitlements if necessary.
829835
"alwayslink": attr.bool(
830836
default = False,
831837
doc = """

apple/internal/entitlements_support.bzl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,12 +194,14 @@ def _extract_signing_info(
194194
def _process_entitlements(
195195
actions,
196196
apple_mac_toolchain_info,
197+
apple_xplat_toolchain_info,
197198
bundle_id,
198199
entitlements_file,
199200
platform_prerequisites,
200201
product_type,
201202
provisioning_profile,
202203
rule_label,
204+
secure_features,
203205
validation_mode):
204206
"""Processes the entitlements for a binary or bundle.
205207
@@ -232,6 +234,8 @@ def _process_entitlements(
232234
from which entitlements will be extracted if `entitlements_file` is
233235
`None`. This argument may also be `None`.
234236
rule_label: The `Label` of the target being built.
237+
secure_features: A list of strings representing Apple Enhanced Security crosstool features
238+
that should be enabled for this target.
235239
validation_mode: A value from `entitlements_validation_mode` describing
236240
how the entitlements should be validated.
237241
@@ -263,6 +267,14 @@ def _process_entitlements(
263267
if _include_app_clip_entitlements(product_type = product_type):
264268
app_clip = {"com.apple.developer.on-demand-install-capable": True}
265269
forced_plists.append(struct(**app_clip))
270+
if secure_features:
271+
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
272+
fail("secure_features are still a work in progress and not yet supported in the rules.")
273+
274+
# TODO: b/449684779 - Have a mapping to declare which entitlements should be added for the
275+
# given secure_features on Xcode 26.0 and later with validation against supported features.
276+
# Create a new bzl (secure_features_support) to contain this mapping and validation and use
277+
# it here.
266278

267279
inputs = list(plists)
268280

apple/internal/ios_rules.bzl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,12 +232,14 @@ def _ios_application_impl(ctx):
232232
entitlements = entitlements_support.process_entitlements(
233233
actions = actions,
234234
apple_mac_toolchain_info = apple_mac_toolchain_info,
235+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
235236
bundle_id = bundle_id,
236237
entitlements_file = ctx.file.entitlements,
237238
platform_prerequisites = platform_prerequisites,
238239
product_type = rule_descriptor.product_type,
239240
provisioning_profile = provisioning_profile,
240241
rule_label = label,
242+
secure_features = ctx.attr.secure_features,
241243
validation_mode = ctx.attr.entitlements_validation,
242244
)
243245

@@ -624,12 +626,14 @@ def _ios_app_clip_impl(ctx):
624626
entitlements = entitlements_support.process_entitlements(
625627
actions = actions,
626628
apple_mac_toolchain_info = apple_mac_toolchain_info,
629+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
627630
bundle_id = bundle_id,
628631
entitlements_file = ctx.file.entitlements,
629632
platform_prerequisites = platform_prerequisites,
630633
product_type = rule_descriptor.product_type,
631634
provisioning_profile = provisioning_profile,
632635
rule_label = label,
636+
secure_features = ctx.attr.secure_features,
633637
validation_mode = ctx.attr.entitlements_validation,
634638
)
635639

@@ -1197,12 +1201,14 @@ def _ios_extension_impl(ctx):
11971201
entitlements = entitlements_support.process_entitlements(
11981202
actions = actions,
11991203
apple_mac_toolchain_info = apple_mac_toolchain_info,
1204+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
12001205
bundle_id = bundle_id,
12011206
entitlements_file = ctx.file.entitlements,
12021207
platform_prerequisites = platform_prerequisites,
12031208
product_type = rule_descriptor.product_type,
12041209
provisioning_profile = provisioning_profile,
12051210
rule_label = label,
1211+
secure_features = ctx.attr.secure_features,
12061212
validation_mode = ctx.attr.entitlements_validation,
12071213
)
12081214

@@ -1938,12 +1944,14 @@ def _ios_imessage_application_impl(ctx):
19381944
entitlements = entitlements_support.process_entitlements(
19391945
actions = actions,
19401946
apple_mac_toolchain_info = apple_mac_toolchain_info,
1947+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
19411948
bundle_id = bundle_id,
19421949
entitlements_file = ctx.file.entitlements,
19431950
platform_prerequisites = platform_prerequisites,
19441951
product_type = rule_descriptor.product_type,
19451952
provisioning_profile = provisioning_profile,
19461953
rule_label = label,
1954+
secure_features = ctx.attr.secure_features,
19471955
validation_mode = ctx.attr.entitlements_validation,
19481956
)
19491957

@@ -2146,12 +2154,14 @@ def _ios_imessage_extension_impl(ctx):
21462154
entitlements = entitlements_support.process_entitlements(
21472155
actions = actions,
21482156
apple_mac_toolchain_info = apple_mac_toolchain_info,
2157+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
21492158
bundle_id = bundle_id,
21502159
entitlements_file = ctx.file.entitlements,
21512160
platform_prerequisites = platform_prerequisites,
21522161
product_type = rule_descriptor.product_type,
21532162
provisioning_profile = provisioning_profile,
21542163
rule_label = label,
2164+
secure_features = ctx.attr.secure_features,
21552165
validation_mode = ctx.attr.entitlements_validation,
21562166
)
21572167

@@ -2418,12 +2428,14 @@ def _ios_sticker_pack_extension_impl(ctx):
24182428
entitlements = entitlements_support.process_entitlements(
24192429
actions = actions,
24202430
apple_mac_toolchain_info = apple_mac_toolchain_info,
2431+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
24212432
bundle_id = bundle_id,
24222433
entitlements_file = ctx.file.entitlements,
24232434
platform_prerequisites = platform_prerequisites,
24242435
product_type = rule_descriptor.product_type,
24252436
provisioning_profile = provisioning_profile,
24262437
rule_label = label,
2438+
secure_features = ctx.attr.secure_features,
24272439
validation_mode = ctx.attr.entitlements_validation,
24282440
)
24292441

apple/internal/macos_rules.bzl

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -230,12 +230,14 @@ def _macos_application_impl(ctx):
230230
entitlements = entitlements_support.process_entitlements(
231231
actions = actions,
232232
apple_mac_toolchain_info = apple_mac_toolchain_info,
233+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
233234
bundle_id = bundle_id,
234235
entitlements_file = ctx.file.entitlements,
235236
platform_prerequisites = platform_prerequisites,
236237
product_type = rule_descriptor.product_type,
237238
provisioning_profile = provisioning_profile,
238239
rule_label = label,
240+
secure_features = ctx.attr.secure_features,
239241
validation_mode = ctx.attr.entitlements_validation,
240242
)
241243

@@ -543,12 +545,14 @@ def _macos_bundle_impl(ctx):
543545
entitlements = entitlements_support.process_entitlements(
544546
actions = actions,
545547
apple_mac_toolchain_info = apple_mac_toolchain_info,
548+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
546549
bundle_id = bundle_id,
547550
entitlements_file = ctx.file.entitlements,
548551
platform_prerequisites = platform_prerequisites,
549552
product_type = rule_descriptor.product_type,
550553
provisioning_profile = provisioning_profile,
551554
rule_label = label,
555+
secure_features = ctx.attr.secure_features,
552556
validation_mode = ctx.attr.entitlements_validation,
553557
)
554558

@@ -791,12 +795,14 @@ def _macos_extension_impl(ctx):
791795
entitlements = entitlements_support.process_entitlements(
792796
actions = actions,
793797
apple_mac_toolchain_info = apple_mac_toolchain_info,
798+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
794799
bundle_id = bundle_id,
795800
entitlements_file = ctx.file.entitlements,
796801
platform_prerequisites = platform_prerequisites,
797802
product_type = rule_descriptor.product_type,
798803
provisioning_profile = provisioning_profile,
799804
rule_label = label,
805+
secure_features = ctx.attr.secure_features,
800806
validation_mode = ctx.attr.entitlements_validation,
801807
)
802808

@@ -1073,12 +1079,14 @@ def _macos_quick_look_plugin_impl(ctx):
10731079
entitlements = entitlements_support.process_entitlements(
10741080
actions = actions,
10751081
apple_mac_toolchain_info = apple_mac_toolchain_info,
1082+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
10761083
bundle_id = bundle_id,
10771084
entitlements_file = ctx.file.entitlements,
10781085
platform_prerequisites = platform_prerequisites,
10791086
product_type = rule_descriptor.product_type,
10801087
provisioning_profile = provisioning_profile,
10811088
rule_label = label,
1089+
secure_features = ctx.attr.secure_features,
10821090
validation_mode = ctx.attr.entitlements_validation,
10831091
)
10841092

@@ -1320,12 +1328,14 @@ def _macos_kernel_extension_impl(ctx):
13201328
entitlements = entitlements_support.process_entitlements(
13211329
actions = actions,
13221330
apple_mac_toolchain_info = apple_mac_toolchain_info,
1331+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
13231332
bundle_id = bundle_id,
13241333
entitlements_file = ctx.file.entitlements,
13251334
platform_prerequisites = platform_prerequisites,
13261335
product_type = rule_descriptor.product_type,
13271336
provisioning_profile = provisioning_profile,
13281337
rule_label = label,
1338+
secure_features = ctx.attr.secure_features,
13291339
validation_mode = ctx.attr.entitlements_validation,
13301340
)
13311341

@@ -1571,12 +1581,14 @@ def _macos_spotlight_importer_impl(ctx):
15711581
entitlements = entitlements_support.process_entitlements(
15721582
actions = actions,
15731583
apple_mac_toolchain_info = apple_mac_toolchain_info,
1584+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
15741585
bundle_id = bundle_id,
15751586
entitlements_file = ctx.file.entitlements,
15761587
platform_prerequisites = platform_prerequisites,
15771588
product_type = rule_descriptor.product_type,
15781589
provisioning_profile = provisioning_profile,
15791590
rule_label = label,
1591+
secure_features = ctx.attr.secure_features,
15801592
validation_mode = ctx.attr.entitlements_validation,
15811593
)
15821594

@@ -1812,12 +1824,14 @@ def _macos_xpc_service_impl(ctx):
18121824
entitlements = entitlements_support.process_entitlements(
18131825
actions = actions,
18141826
apple_mac_toolchain_info = apple_mac_toolchain_info,
1827+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
18151828
bundle_id = bundle_id,
18161829
entitlements_file = ctx.file.entitlements,
18171830
platform_prerequisites = platform_prerequisites,
18181831
product_type = rule_descriptor.product_type,
18191832
provisioning_profile = provisioning_profile,
18201833
rule_label = label,
1834+
secure_features = ctx.attr.secure_features,
18211835
validation_mode = ctx.attr.entitlements_validation,
18221836
)
18231837

@@ -2732,7 +2746,6 @@ Targets created with `macos_command_line_application` can be executed using
27322746
platform_type = "macos",
27332747
),
27342748
rule_attrs.signing_attrs(
2735-
supports_capabilities = False,
27362749
profile_extension = ".provisionprofile",
27372750
),
27382751
{
@@ -2789,7 +2802,6 @@ macos_dylib = rule_factory.create_apple_rule(
27892802
platform_type = "macos",
27902803
),
27912804
rule_attrs.signing_attrs(
2792-
supports_capabilities = False,
27932805
profile_extension = ".provisionprofile",
27942806
),
27952807
{

apple/internal/rule_attrs.bzl

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -473,6 +473,12 @@ the provisioning profile to ensure they are supported.
473473
entitlements_validation_mode.skip,
474474
],
475475
),
476+
"secure_features": attr.string_list(
477+
doc = """
478+
A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
479+
this target.
480+
""",
481+
),
476482
"shared_capabilities": attr.label_list(
477483
providers = [[AppleSharedCapabilityInfo]],
478484
doc = """

apple/internal/testing/build_test_rules.bzl

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,9 @@ def apple_build_test_rule(doc, platform_type):
9797
# libraries compiles.
9898
return rule(
9999
attrs = {
100+
# TODO: b/449684779 - Add a "secure_features" attribute to set required Clang
101+
# features for the purposes of build testing. Don't concern ourselves with setting
102+
# entitlements as they should not be necessary for validating compile time behavior.
100103
"minimum_os_version": attr.string(
101104
mandatory = True,
102105
doc = """\

apple/internal/transition_support.bzl

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -454,6 +454,10 @@ def _apple_rule_base_transition_impl(settings, attr):
454454
minimum_os_version = attr.minimum_os_version
455455
platform_type = attr.platform_type
456456
building_apple_bundle = getattr(attr, "_building_apple_bundle", True)
457+
458+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
459+
# configured and amended to the existing set of features for this target so the crosstool can
460+
# configure required Clang features, and determine if we should set arm64e as necessary.
457461
return _command_line_options(
458462
building_apple_bundle = building_apple_bundle,
459463
environment_arch = _environment_archs(platform_type, minimum_os_version, settings)[0],
@@ -473,6 +477,9 @@ _apple_rule_base_transition_inputs = _apple_rule_common_transition_inputs + [
473477
"//command_line_option:platforms",
474478
"//command_line_option:ios_multi_cpus",
475479
"//command_line_option:macos_cpus",
480+
# TODO: b/449684779 - Add //command_line_option:features as a required input here. This is
481+
# needed to allow the transition to see the current value of the --features flag so it can
482+
# potentially amend it with secure_features if needed.
476483
"//command_line_option:tvos_cpus",
477484
"//command_line_option:watchos_cpus",
478485
] + (["//command_line_option:visionos_cpus"] if _supports_visionos else [])
@@ -489,6 +496,8 @@ _apple_rule_base_transition_outputs = [
489496
"//command_line_option:compiler",
490497
"//command_line_option:cpu",
491498
"//command_line_option:fission",
499+
# TODO: b/449684779 - Add //command_line_option:features as a required output here. Remember
500+
# that `[]` can be passed through to indicate "make no changes to incoming --features".
492501
"//command_line_option:grte_top",
493502
"//command_line_option:ios_minimum_os",
494503
"//command_line_option:macos_minimum_os",
@@ -519,6 +528,10 @@ def _apple_platforms_rule_base_transition_impl(settings, attr):
519528
if not settings["//command_line_option:incompatible_enable_apple_toolchain_resolution"]:
520529
# Add fallback to match an anticipated split of Apple cpu-based resolution
521530
environment_arch = _environment_archs(platform_type, minimum_os_version, settings)[0]
531+
532+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
533+
# configured and amended to the existing set of features for this target so the crosstool can
534+
# configure required Clang features, and determine if we should set arm64e as necessary.
522535
return _command_line_options(
523536
apple_platforms = settings["//command_line_option:apple_platforms"],
524537
building_apple_bundle = building_apple_bundle,
@@ -547,6 +560,10 @@ def _apple_platforms_rule_bundle_output_base_transition_impl(settings, attr):
547560
settings = settings,
548561
minimum_os_version = minimum_os_version,
549562
)
563+
564+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
565+
# configured and amended to the existing set of features for this target so the crosstool can
566+
# configure required Clang features, and determine if we should set arm64e as necessary.
550567
return _command_line_options(
551568
apple_platforms = settings["//command_line_option:apple_platforms"],
552569
building_apple_bundle = building_apple_bundle,
@@ -730,6 +747,10 @@ _apple_platform_split_transition = transition(
730747
def _xcframework_base_transition_impl(settings, _):
731748
"""Rule transition for XCFramework rules producing SDK-adjacent artifacts."""
732749

750+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
751+
# configured and amended to the existing set of features for this target so the crosstool can
752+
# configure required Clang features, and determine if we should set arm64e as necessary.
753+
733754
# For safety, lean on darwin_{default arch} with no incoming minimum_os_version to avoid
734755
# incoming settings meant for other platforms overriding the settings for the xcframework rule's
735756
# underlying actions, and allow for toolchain resolution in the future.
@@ -751,6 +772,10 @@ def _xcframework_split_transition_impl(settings, attr):
751772
"""Starlark 1:2+ transition for generation of multiple frameworks for the current target."""
752773
output_dictionary = {}
753774

775+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
776+
# configured and amended to the existing set of features for this target so the crosstool can
777+
# configure required Clang features, and determine if we should set arm64e as necessary.
778+
754779
for platform_type in ["ios", "tvos", "watchos", "visionos", "macos"]:
755780
platform_attr = getattr(attr, platform_type, None)
756781
if not platform_attr:

0 commit comments

Comments
 (0)