Give plug-in processes an executable heap and disable PIE/ASLR for Native

Client loader processes.

Some plug-ins depend on having an executable heap. They write code to data
pages and attempt to execute it without calling mprotect to mark this code
as executable.

Native Client needs to allocate a contiguous 1GB of address space. ASLR may
interfere with there being a "hole" this large in the address space by the
time NaCl makes its request.

Non-executable heaps are only available in 10.7 and later for 32-bit
processes.

PIE/ASLR was formerly disabled for all processes other than the browser
process. This change reenables it for all processes other than the NaCl
loader. PIE/ASLR is available on 10.5 and later, although the implementation
is stronger in 10.7 than in earlier releases.

This change results in two new helpers in addition to the existing
Chromium Helper.app: Chromium Helper EH.app (for executable heaps) and
Chromium Helper NP.app (for no PIE). libplugin_carbon_interpose.dylib moves
out of the helper .app and directly into the versioned directory. The
InfoPlist.strings have been removed from the helper app, but empty .lproj
directories remain.

BUG=90221, 93551
TEST=everything
Review URL: http://codereview.chromium.org/7714018

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@97984 0039d316-1c4b-4281-b951-d872f2087c98

2 files changed, 14 insertions, 2 deletions

diff --git a/chrome/installer/mac/sign_app.sh.in b/chrome/installer/mac/sign_app.sh.in
index 64ab064..3023806 100644
--- a/chrome/installer/mac/sign_app.sh.in
+++ b/chrome/installer/mac/sign_app.sh.in
@@ -1,6 +1,6 @@
 #!/bin/bash -p
 
-# Copyright (c) 2009 The Chromium Authors. All rights reserved.
+# Copyright (c) 2011 The Chromium Authors. All rights reserved.
 # Use of this source code is governed by a BSD-style license that can be
 # found in the LICENSE file.
 
@@ -42,12 +42,16 @@ versioned_dir="${app_path}/Contents/Versions/@VERSION@"
 browser_app="${app_path}"
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
+helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app"
+helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app"
 
 codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \
     "${browser_app}" --resource-rules "${browser_app_rules}"
 
-# Verify everything. Check the framework and helper app to make sure that the
+# Verify everything. Check the framework and helper apps to make sure that the
 # signatures are present and weren't altered by the signing process.
 codesign -v "${framework}"
 codesign -v "${helper_app}"
+codesign -v "${helper_eh_app}"
+codesign -v "${helper_np_app}"
 codesign -v "${browser_app}"
diff --git a/chrome/installer/mac/sign_versioned_dir.sh.in b/chrome/installer/mac/sign_versioned_dir.sh.in
index 4affd5e..82c7fb7 100644
--- a/chrome/installer/mac/sign_versioned_dir.sh.in
+++ b/chrome/installer/mac/sign_versioned_dir.sh.in
@@ -42,10 +42,18 @@ versioned_dir="${app_path}/Contents/Versions/@VERSION@"
 
 framework="${versioned_dir}/@MAC_PRODUCT_NAME@ Framework.framework"
 helper_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper.app"
+helper_eh_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper EH.app"
+helper_np_app="${versioned_dir}/@MAC_PRODUCT_NAME@ Helper NP.app"
 
 codesign -s "${codesign_id}" --keychain "${codesign_keychain}" "${framework}"
 codesign -s "${codesign_id}" --keychain "${codesign_keychain}" "${helper_app}"
+codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \
+    "${helper_eh_app}"
+codesign -s "${codesign_id}" --keychain "${codesign_keychain}" \
+    "${helper_np_app}"
 
 # Verify everything.
 codesign -v "${framework}"
 codesign -v "${helper_app}"
+codesign -v "${helper_eh_app}"
+codesign -v "${helper_np_app}"