Impelement 'samply setup' to codesign binary

mstange · May 20, 2024 · 949ae51 · 949ae51
1 parent 6cc0ae7
commit 949ae51
Show file tree

Hide file tree

Showing 5 changed files with 85 additions and 5 deletions.
diff --git a/samply/src/mac/codesign_setup.rs b/samply/src/mac/codesign_setup.rs
@@ -0,0 +1,66 @@
+use std::{env, io::Write};
+
+const ENTITLEMENTS_XML: &str = r#"<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+	<key>com.apple.security.cs.debugger</key>
+	<true/>
+</dict>
+</plist>
+"#;
+
+pub fn codesign_setup() {
+    print!(
+        r#"
+On macOS, attaching to an existing process is only allowed to binaries with
+the com.apple.security.cs.debugger entitlement. The samply binary will be
+signed with this entitlement for your local machine only. The following command
+will be run:
+
+    codesign --force --options runtime --sign - \
+      --entitlements entitlements.xml {}
+
+entitlements.xml contains:
+    
+    {}
+
+Press any key to continue, or Ctrl-C to cancel.
+"#,
+        env::current_exe().unwrap().display(),
+        ENTITLEMENTS_XML
+    );
+
+    let mut input = String::new();
+    std::io::stdin()
+        .read_line(&mut input)
+        .expect("Failed to read input?");
+
+    let mut entitlements_file = tempfile::Builder::new()
+        .prefix("samply_entitlements")
+        .suffix(".xml")
+        .tempfile()
+        .expect("Failed to create temporary file for entitlements!");
+
+    entitlements_file
+        .write_all(ENTITLEMENTS_XML.as_bytes())
+        .expect("Failed to write entitlements to temporary file!");
+
+    let entitlements_path = entitlements_file.path();
+
+    // codesign for the current machine:
+    //    codesign --force --options runtime --sign - --entitlements ent.xml target/debug/usamply
+    std::process::Command::new("codesign")
+        .arg("--force")
+        .arg("--options")
+        .arg("runtime")
+        .arg("--sign")
+        .arg("-")
+        .arg("--entitlements")
+        .arg(entitlements_path)
+        .arg(env::current_exe().unwrap())
+        .output()
+        .expect("Failed to run codesign!");
+
+    println!(r"Code signing successful!");
+}
diff --git a/samply/src/mac/mod.rs b/samply/src/mac/mod.rs
@@ -1,6 +1,7 @@
 #[allow(deref_nullptr)]
 mod dyld_bindings;
 
+pub mod codesign_setup;
 mod error;
 pub mod kernel_error;
 mod mach_ipc;

diff --git a/samply/src/mac/process_launcher.rs b/samply/src/mac/process_launcher.rs
@@ -287,7 +287,11 @@ impl ExistingProcessRunner {
                         return;
                     }
 
-                    eprintln!("Error: task_for_pid for target task failed with error code {kr}. Does the profiler have entitlements?");
+                    eprintln!("Error: task_for_pid for target task failed with error code {kr}.");
+                    eprintln!(
+                        "Please run 'samply setup' in order to grant appropriate entitlements"
+                    );
+                    eprintln!("to the binary.");
                     std::process::exit(1);
                 }
                 task_suspend(task);
@@ -301,7 +305,7 @@ impl ExistingProcessRunner {
         };
 
         // always root pid first
-        queue_pid(pid, true);
+        queue_pid(pid, false);
 
         // TODO: find all its children
 

diff --git a/samply/src/mac/profiler.rs b/samply/src/mac/profiler.rs
@@ -34,9 +34,8 @@ pub fn start_recording(
 
     let root_task_runner: Box<dyn RootTaskRunner> = match recording_mode {
         RecordingMode::All => {
-            // TODO: Implement, by sudo launching a helper process which uses task_for_pid
-            eprintln!("Error: Profiling existing processes is currently not supported on macOS.");
-            eprintln!("You can only profile processes which you launch via samply.");
+            eprintln!("Error: Profiling all processes is not supported on macOS.");
+            eprintln!("You can only profile processes which you launch via samply, or attach to via --pid.");
             std::process::exit(1)
         }
         RecordingMode::Pid(pid) => {

diff --git a/samply/src/main.rs b/samply/src/main.rs
@@ -87,6 +87,10 @@ enum Action {
     #[clap(hide = true)]
     /// Used in the elevated helper process.
     RunElevatedHelper(RunElevatedHelperArgs),
+
+    /// Codesign the samply binary on macOS to allow attaching to processes.
+    #[cfg(target_os = "macos")]
+    Setup,
 }
 
 #[derive(Debug, Args)]
@@ -333,13 +337,19 @@ fn main() {
             };
             std::process::exit(exit_status.code().unwrap_or(0));
         }
+
         #[cfg(target_os = "windows")]
         Action::RunElevatedHelper(RunElevatedHelperArgs {
             ipc_directory,
             output_path,
         }) => {
             windows::run_elevated_helper(&ipc_directory, output_path);
         }
+
+        #[cfg(target_os = "macos")]
+        Action::Setup => {
+            mac::codesign_setup::codesign_setup();
+        }
     }
 }