Skip to content

Commit 8702d09

Browse files
nglevinluispadron
nglevin
authored and
luispadron
committed
Stand up the "secure_features" attribute for rules with comments, flagged behind "enable_wip_features", with TODOs to explain implementation to come.
As a prerequisite to that work, added support for entitlements to macos_dylib and macos_command_line_application. Cherry-pick: f34a7b8
1 parent e0502c4 commit 8702d09

14 files changed

Lines changed: 114 additions & 14 deletions

apple/internal/apple_framework_import.bzl

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -413,6 +413,9 @@ apple_dynamic_framework_import = rule(
413413
attrs = dicts.add(
414414
rule_attrs.common_tool_attrs(),
415415
{
416+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
417+
# features are expected to be present in the precompiled framework, so the rules can
418+
# validate against that and set required entitlements if necessary.
416419
"framework_imports": attr.label_list(
417420
allow_empty = False,
418421
allow_files = True,
@@ -482,6 +485,9 @@ apple_static_framework_import = rule(
482485
attrs = dicts.add(
483486
rule_attrs.common_tool_attrs(),
484487
{
488+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
489+
# features are expected to be present in the precompiled framework, so the rules can
490+
# validate against that and set required entitlements if necessary.
485491
"framework_imports": attr.label_list(
486492
allow_empty = False,
487493
allow_files = True,

apple/internal/apple_xcframework_import.bzl

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -762,6 +762,9 @@ objc_library(
762762
attrs = dicts.add(
763763
rule_attrs.common_tool_attrs(),
764764
{
765+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
766+
# features are expected to be present in the precompiled framework, so the rules can
767+
# validate against that and set required entitlements if necessary.
765768
"xcframework_imports": attr.label_list(
766769
allow_empty = False,
767770
allow_files = True,
@@ -835,6 +838,9 @@ objc_library(
835838
attrs = dicts.add(
836839
rule_attrs.common_tool_attrs(),
837840
{
841+
# TODO: b/449684779 - Add an "expected_secure_features" attribute to declare what
842+
# features are expected to be present in the precompiled framework, so the rules can
843+
# validate against that and set required entitlements if necessary.
838844
"alwayslink": attr.bool(
839845
default = False,
840846
doc = """

apple/internal/entitlements_support.bzl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -194,12 +194,14 @@ def _extract_signing_info(
194194
def _process_entitlements(
195195
actions,
196196
apple_mac_toolchain_info,
197+
apple_xplat_toolchain_info,
197198
bundle_id,
198199
entitlements_file,
199200
platform_prerequisites,
200201
product_type,
201202
provisioning_profile,
202203
rule_label,
204+
secure_features,
203205
validation_mode):
204206
"""Processes the entitlements for a binary or bundle.
205207
@@ -232,6 +234,8 @@ def _process_entitlements(
232234
from which entitlements will be extracted if `entitlements_file` is
233235
`None`. This argument may also be `None`.
234236
rule_label: The `Label` of the target being built.
237+
secure_features: A list of strings representing Apple Enhanced Security crosstool features
238+
that should be enabled for this target.
235239
validation_mode: A value from `entitlements_validation_mode` describing
236240
how the entitlements should be validated.
237241
@@ -263,6 +267,14 @@ def _process_entitlements(
263267
if _include_app_clip_entitlements(product_type = product_type):
264268
app_clip = {"com.apple.developer.on-demand-install-capable": True}
265269
forced_plists.append(struct(**app_clip))
270+
if secure_features:
271+
if not apple_xplat_toolchain_info.build_settings.enable_wip_features:
272+
fail("secure_features are still a work in progress and not yet supported in the rules.")
273+
274+
# TODO: b/449684779 - Have a mapping to declare which entitlements should be added for the
275+
# given secure_features on Xcode 26.0 and later with validation against supported features.
276+
# Create a new bzl (secure_features_support) to contain this mapping and validation and use
277+
# it here.
266278

267279
inputs = list(plists)
268280

apple/internal/ios_rules.bzl

Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -232,12 +232,14 @@ def _ios_application_impl(ctx):
232232
entitlements = entitlements_support.process_entitlements(
233233
actions = actions,
234234
apple_mac_toolchain_info = apple_mac_toolchain_info,
235+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
235236
bundle_id = bundle_id,
236237
entitlements_file = ctx.file.entitlements,
237238
platform_prerequisites = platform_prerequisites,
238239
product_type = rule_descriptor.product_type,
239240
provisioning_profile = provisioning_profile,
240241
rule_label = label,
242+
secure_features = ctx.attr.secure_features,
241243
validation_mode = ctx.attr.entitlements_validation,
242244
)
243245

@@ -621,12 +623,14 @@ def _ios_app_clip_impl(ctx):
621623
entitlements = entitlements_support.process_entitlements(
622624
actions = actions,
623625
apple_mac_toolchain_info = apple_mac_toolchain_info,
626+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
624627
bundle_id = bundle_id,
625628
entitlements_file = ctx.file.entitlements,
626629
platform_prerequisites = platform_prerequisites,
627630
product_type = rule_descriptor.product_type,
628631
provisioning_profile = provisioning_profile,
629632
rule_label = label,
633+
secure_features = ctx.attr.secure_features,
630634
validation_mode = ctx.attr.entitlements_validation,
631635
)
632636

@@ -1203,12 +1207,14 @@ def _ios_extension_impl(ctx):
12031207
entitlements = entitlements_support.process_entitlements(
12041208
actions = actions,
12051209
apple_mac_toolchain_info = apple_mac_toolchain_info,
1210+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
12061211
bundle_id = bundle_id,
12071212
entitlements_file = ctx.file.entitlements,
12081213
platform_prerequisites = platform_prerequisites,
12091214
product_type = rule_descriptor.product_type,
12101215
provisioning_profile = provisioning_profile,
12111216
rule_label = label,
1217+
secure_features = ctx.attr.secure_features,
12121218
validation_mode = ctx.attr.entitlements_validation,
12131219
)
12141220

@@ -1941,12 +1947,14 @@ def _ios_imessage_application_impl(ctx):
19411947
entitlements = entitlements_support.process_entitlements(
19421948
actions = actions,
19431949
apple_mac_toolchain_info = apple_mac_toolchain_info,
1950+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
19441951
bundle_id = bundle_id,
19451952
entitlements_file = ctx.file.entitlements,
19461953
platform_prerequisites = platform_prerequisites,
19471954
product_type = rule_descriptor.product_type,
19481955
provisioning_profile = provisioning_profile,
19491956
rule_label = label,
1957+
secure_features = ctx.attr.secure_features,
19501958
validation_mode = ctx.attr.entitlements_validation,
19511959
)
19521960

@@ -2149,12 +2157,14 @@ def _ios_imessage_extension_impl(ctx):
21492157
entitlements = entitlements_support.process_entitlements(
21502158
actions = actions,
21512159
apple_mac_toolchain_info = apple_mac_toolchain_info,
2160+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
21522161
bundle_id = bundle_id,
21532162
entitlements_file = ctx.file.entitlements,
21542163
platform_prerequisites = platform_prerequisites,
21552164
product_type = rule_descriptor.product_type,
21562165
provisioning_profile = provisioning_profile,
21572166
rule_label = label,
2167+
secure_features = ctx.attr.secure_features,
21582168
validation_mode = ctx.attr.entitlements_validation,
21592169
)
21602170

@@ -2421,12 +2431,14 @@ def _ios_sticker_pack_extension_impl(ctx):
24212431
entitlements = entitlements_support.process_entitlements(
24222432
actions = actions,
24232433
apple_mac_toolchain_info = apple_mac_toolchain_info,
2434+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
24242435
bundle_id = bundle_id,
24252436
entitlements_file = ctx.file.entitlements,
24262437
platform_prerequisites = platform_prerequisites,
24272438
product_type = rule_descriptor.product_type,
24282439
provisioning_profile = provisioning_profile,
24292440
rule_label = label,
2441+
secure_features = ctx.attr.secure_features,
24302442
validation_mode = ctx.attr.entitlements_validation,
24312443
)
24322444

apple/internal/macos_rules.bzl

Lines changed: 14 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -230,12 +230,14 @@ def _macos_application_impl(ctx):
230230
entitlements = entitlements_support.process_entitlements(
231231
actions = actions,
232232
apple_mac_toolchain_info = apple_mac_toolchain_info,
233+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
233234
bundle_id = bundle_id,
234235
entitlements_file = ctx.file.entitlements,
235236
platform_prerequisites = platform_prerequisites,
236237
product_type = rule_descriptor.product_type,
237238
provisioning_profile = provisioning_profile,
238239
rule_label = label,
240+
secure_features = ctx.attr.secure_features,
239241
validation_mode = ctx.attr.entitlements_validation,
240242
)
241243

@@ -540,12 +542,14 @@ def _macos_bundle_impl(ctx):
540542
entitlements = entitlements_support.process_entitlements(
541543
actions = actions,
542544
apple_mac_toolchain_info = apple_mac_toolchain_info,
545+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
543546
bundle_id = bundle_id,
544547
entitlements_file = ctx.file.entitlements,
545548
platform_prerequisites = platform_prerequisites,
546549
product_type = rule_descriptor.product_type,
547550
provisioning_profile = provisioning_profile,
548551
rule_label = label,
552+
secure_features = ctx.attr.secure_features,
549553
validation_mode = ctx.attr.entitlements_validation,
550554
)
551555

@@ -788,12 +792,14 @@ def _macos_extension_impl(ctx):
788792
entitlements = entitlements_support.process_entitlements(
789793
actions = actions,
790794
apple_mac_toolchain_info = apple_mac_toolchain_info,
795+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
791796
bundle_id = bundle_id,
792797
entitlements_file = ctx.file.entitlements,
793798
platform_prerequisites = platform_prerequisites,
794799
product_type = rule_descriptor.product_type,
795800
provisioning_profile = provisioning_profile,
796801
rule_label = label,
802+
secure_features = ctx.attr.secure_features,
797803
validation_mode = ctx.attr.entitlements_validation,
798804
)
799805

@@ -1070,12 +1076,14 @@ def _macos_quick_look_plugin_impl(ctx):
10701076
entitlements = entitlements_support.process_entitlements(
10711077
actions = actions,
10721078
apple_mac_toolchain_info = apple_mac_toolchain_info,
1079+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
10731080
bundle_id = bundle_id,
10741081
entitlements_file = ctx.file.entitlements,
10751082
platform_prerequisites = platform_prerequisites,
10761083
product_type = rule_descriptor.product_type,
10771084
provisioning_profile = provisioning_profile,
10781085
rule_label = label,
1086+
secure_features = ctx.attr.secure_features,
10791087
validation_mode = ctx.attr.entitlements_validation,
10801088
)
10811089

@@ -1317,12 +1325,14 @@ def _macos_kernel_extension_impl(ctx):
13171325
entitlements = entitlements_support.process_entitlements(
13181326
actions = actions,
13191327
apple_mac_toolchain_info = apple_mac_toolchain_info,
1328+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
13201329
bundle_id = bundle_id,
13211330
entitlements_file = ctx.file.entitlements,
13221331
platform_prerequisites = platform_prerequisites,
13231332
product_type = rule_descriptor.product_type,
13241333
provisioning_profile = provisioning_profile,
13251334
rule_label = label,
1335+
secure_features = ctx.attr.secure_features,
13261336
validation_mode = ctx.attr.entitlements_validation,
13271337
)
13281338

@@ -1568,12 +1578,14 @@ def _macos_spotlight_importer_impl(ctx):
15681578
entitlements = entitlements_support.process_entitlements(
15691579
actions = actions,
15701580
apple_mac_toolchain_info = apple_mac_toolchain_info,
1581+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
15711582
bundle_id = bundle_id,
15721583
entitlements_file = ctx.file.entitlements,
15731584
platform_prerequisites = platform_prerequisites,
15741585
product_type = rule_descriptor.product_type,
15751586
provisioning_profile = provisioning_profile,
15761587
rule_label = label,
1588+
secure_features = ctx.attr.secure_features,
15771589
validation_mode = ctx.attr.entitlements_validation,
15781590
)
15791591

@@ -1809,12 +1821,14 @@ def _macos_xpc_service_impl(ctx):
18091821
entitlements = entitlements_support.process_entitlements(
18101822
actions = actions,
18111823
apple_mac_toolchain_info = apple_mac_toolchain_info,
1824+
apple_xplat_toolchain_info = apple_xplat_toolchain_info,
18121825
bundle_id = bundle_id,
18131826
entitlements_file = ctx.file.entitlements,
18141827
platform_prerequisites = platform_prerequisites,
18151828
product_type = rule_descriptor.product_type,
18161829
provisioning_profile = provisioning_profile,
18171830
rule_label = label,
1831+
secure_features = ctx.attr.secure_features,
18181832
validation_mode = ctx.attr.entitlements_validation,
18191833
)
18201834

@@ -2729,7 +2743,6 @@ Targets created with `macos_command_line_application` can be executed using
27292743
platform_type = "macos",
27302744
),
27312745
rule_attrs.signing_attrs(
2732-
supports_capabilities = False,
27332746
profile_extension = ".provisionprofile",
27342747
),
27352748
{
@@ -2786,7 +2799,6 @@ macos_dylib = rule_factory.create_apple_rule(
27862799
platform_type = "macos",
27872800
),
27882801
rule_attrs.signing_attrs(
2789-
supports_capabilities = False,
27902802
profile_extension = ".provisionprofile",
27912803
),
27922804
{

apple/internal/rule_attrs.bzl

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -467,6 +467,12 @@ the provisioning profile to ensure they are supported.
467467
entitlements_validation_mode.skip,
468468
],
469469
),
470+
"secure_features": attr.string_list(
471+
doc = """
472+
A list of strings representing Apple Enhanced Security crosstool features that should be enabled for
473+
this target.
474+
""",
475+
),
470476
"shared_capabilities": attr.label_list(
471477
providers = [[AppleSharedCapabilityInfo]],
472478
doc = """

apple/internal/testing/build_test_rules.bzl

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,9 @@ def apple_build_test_rule(doc, platform_type):
9797
# libraries compiles.
9898
return rule(
9999
attrs = {
100+
# TODO: b/449684779 - Add a "secure_features" attribute to set required Clang
101+
# features for the purposes of build testing. Don't concern ourselves with setting
102+
# entitlements as they should not be necessary for validating compile time behavior.
100103
"minimum_os_version": attr.string(
101104
mandatory = True,
102105
doc = """\

apple/internal/transition_support.bzl

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -453,6 +453,10 @@ def _apple_rule_base_transition_impl(settings, attr):
453453
minimum_os_version = attr.minimum_os_version
454454
platform_type = attr.platform_type
455455
building_apple_bundle = getattr(attr, "_building_apple_bundle", True)
456+
457+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
458+
# configured and amended to the existing set of features for this target so the crosstool can
459+
# configure required Clang features, and determine if we should set arm64e as necessary.
456460
return _command_line_options(
457461
building_apple_bundle = building_apple_bundle,
458462
environment_arch = _environment_archs(platform_type, minimum_os_version, settings)[0],
@@ -472,6 +476,9 @@ _apple_rule_base_transition_inputs = _apple_rule_common_transition_inputs + [
472476
"//command_line_option:platforms",
473477
"//command_line_option:ios_multi_cpus",
474478
"//command_line_option:macos_cpus",
479+
# TODO: b/449684779 - Add //command_line_option:features as a required input here. This is
480+
# needed to allow the transition to see the current value of the --features flag so it can
481+
# potentially amend it with secure_features if needed.
475482
"//command_line_option:tvos_cpus",
476483
"//command_line_option:watchos_cpus",
477484
] + (["//command_line_option:visionos_cpus"] if _supports_visionos else [])
@@ -488,6 +495,8 @@ _apple_rule_base_transition_outputs = [
488495
"//command_line_option:compiler",
489496
"//command_line_option:cpu",
490497
"//command_line_option:fission",
498+
# TODO: b/449684779 - Add //command_line_option:features as a required output here. Remember
499+
# that `[]` can be passed through to indicate "make no changes to incoming --features".
491500
"//command_line_option:grte_top",
492501
"//command_line_option:ios_minimum_os",
493502
"//command_line_option:macos_minimum_os",
@@ -518,6 +527,10 @@ def _apple_platforms_rule_base_transition_impl(settings, attr):
518527
if not settings["//command_line_option:incompatible_enable_apple_toolchain_resolution"]:
519528
# Add fallback to match an anticipated split of Apple cpu-based resolution
520529
environment_arch = _environment_archs(platform_type, minimum_os_version, settings)[0]
530+
531+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
532+
# configured and amended to the existing set of features for this target so the crosstool can
533+
# configure required Clang features, and determine if we should set arm64e as necessary.
521534
return _command_line_options(
522535
apple_platforms = settings["//command_line_option:apple_platforms"],
523536
building_apple_bundle = building_apple_bundle,
@@ -546,6 +559,10 @@ def _apple_platforms_rule_bundle_output_base_transition_impl(settings, attr):
546559
settings = settings,
547560
minimum_os_version = minimum_os_version,
548561
)
562+
563+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
564+
# configured and amended to the existing set of features for this target so the crosstool can
565+
# configure required Clang features, and determine if we should set arm64e as necessary.
549566
return _command_line_options(
550567
apple_platforms = settings["//command_line_option:apple_platforms"],
551568
building_apple_bundle = building_apple_bundle,
@@ -729,6 +746,10 @@ _apple_platform_split_transition = transition(
729746
def _xcframework_base_transition_impl(settings, _):
730747
"""Rule transition for XCFramework rules producing SDK-adjacent artifacts."""
731748

749+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
750+
# configured and amended to the existing set of features for this target so the crosstool can
751+
# configure required Clang features, and determine if we should set arm64e as necessary.
752+
732753
# For safety, lean on darwin_{default arch} with no incoming minimum_os_version to avoid
733754
# incoming settings meant for other platforms overriding the settings for the xcframework rule's
734755
# underlying actions, and allow for toolchain resolution in the future.
@@ -750,6 +771,10 @@ def _xcframework_split_transition_impl(settings, attr):
750771
"""Starlark 1:2+ transition for generation of multiple frameworks for the current target."""
751772
output_dictionary = {}
752773

774+
# TODO: b/449684779 - Perform light validation to determine if the secure_features should be
775+
# configured and amended to the existing set of features for this target so the crosstool can
776+
# configure required Clang features, and determine if we should set arm64e as necessary.
777+
753778
for platform_type in ["ios", "tvos", "watchos", "visionos", "macos"]:
754779
platform_attr = getattr(attr, platform_type, None)
755780
if not platform_attr:

0 commit comments

Comments
 (0)