make mach behavior configurable

themiswang · themiswang · commit 25c3abfd0a8a · 2026-01-14T12:17:01.000-05:00
diff --git a/Crashlytics/CHANGELOG.md b/Crashlytics/CHANGELOG.md
@@ -1,5 +1,5 @@
-# Unrelased
-- [fixed] Conformed to Mach IPC security restrictions. Note: This change would potentially change mach exception types we receive from kernel which might affect issue clustering result. (#15393)
+# Unreleased
+- [fixed] Added ability to conformed to Mach IPC security restrictions. User need to add FirebaseCrashlyticsMachProtectedEnabled=YES to their info.plist to enable this feature. Note: This change would potentially change mach exception types we receive from kernel which might affect issue clustering result. (#15393)
 
 # 12.4.0
 - [fixed] Make set development platform APIs to chain on Crashlytics context init promise.
diff --git a/Crashlytics/Crashlytics/Components/FIRCLSContext.m b/Crashlytics/Crashlytics/Components/FIRCLSContext.m
@@ -65,6 +65,7 @@
   initData.previouslyCrashedFileRootPath = [fileManager rootPath];
   initData.errorsEnabled = [settings errorReportingEnabled];
   initData.customExceptionsEnabled = [settings customExceptionsEnabled];
+  initData.machProtectedEnabled = [settings machProtectedEnabled];
   initData.maxCustomExceptions = [settings maxCustomExceptions];
   initData.maxErrorLogSize = [settings errorLogBufferSize];
   initData.maxLogSize = [settings logBufferSize];
@@ -185,6 +186,12 @@
       _firclsContext.readonly->machException.path =
           FIRCLSContextAppendToRoot(rootPath, FIRCLSReportMachExceptionFile);
 
+      // from settings checkout behavior
+      _firclsContext.readonly->machException.behavior = EXCEPTION_DEFAULT;
+      if (initData.machProtectedEnabled) {
+        _firclsContext.readonly->machException.behavior = EXCEPTION_IDENTITY_PROTECTED;
+      }
+
       FIRCLSMachExceptionInit(&_firclsContext.readonly->machException);
     });
 #endif
diff --git a/Crashlytics/Crashlytics/FIRCrashlytics.m b/Crashlytics/Crashlytics/FIRCrashlytics.m
@@ -146,11 +146,14 @@ - (instancetype)initWithApp:(FIRApp *)app
 
     _fileManager = [[FIRCLSFileManager alloc] init];
     _googleAppID = app.options.googleAppID;
+    // getting data collection state from info.plist, user defaults etc. disk I/O on main
     _dataArbiter = [[FIRCLSDataCollectionArbiter alloc] initWithApp:app withAppInfo:appInfo];
 
     FIRCLSApplicationIdentifierModel *appModel = [[FIRCLSApplicationIdentifierModel alloc] init];
+    // read settings cache, disk I/O on main
     FIRCLSSettings *settings = [[FIRCLSSettings alloc] initWithFileManager:_fileManager
-                                                                appIDModel:appModel];
+                                                                appIDModel:appModel
+                                                                   appInfo:appInfo];
 
     FIRCLSOnDemandModel *onDemandModel =
         [[FIRCLSOnDemandModel alloc] initWithFIRCLSSettings:settings fileManager:_fileManager];
@@ -200,6 +203,7 @@ - (instancetype)initWithApp:(FIRApp *)app
     }
 
     _contextInitPromise =
+        // setup with context init (binary image, register exception handler)
         [[[_reportManager startWithProfiling] then:^id _Nullable(NSNumber *_Nullable value) {
           if (![value boolValue]) {
             FIRCLSErrorLog(@"Crash reporting could not be initialized");
diff --git a/Crashlytics/Crashlytics/Handlers/FIRCLSMachException.c b/Crashlytics/Crashlytics/Handlers/FIRCLSMachException.c
@@ -33,18 +33,19 @@
 static void* FIRCLSMachExceptionServer(void* argument);
 static bool FIRCLSMachExceptionThreadStart(FIRCLSMachExceptionReadContext* context);
 static bool FIRCLSMachExceptionReadMessage(FIRCLSMachExceptionReadContext* context,
-                                           MachExceptionProtectedMessage* message);
+                                           MachExceptionMessage* message);
 static kern_return_t FIRCLSMachExceptionDispatchMessage(FIRCLSMachExceptionReadContext* context,
-                                                        MachExceptionProtectedMessage* message);
+                                                        MachExceptionMessage* message);
 static bool FIRCLSMachExceptionReply(FIRCLSMachExceptionReadContext* context,
-                                     MachExceptionProtectedMessage* message,
+                                     MachExceptionMessage* message,
                                      kern_return_t result);
 static bool FIRCLSMachExceptionRegister(FIRCLSMachExceptionReadContext* context);
 static bool FIRCLSMachExceptionUnregister(FIRCLSMachExceptionOriginalPorts* originalPorts,
-                                          exception_mask_t mask);
+                                          exception_mask_t mask,
+                                          exception_behavior_t behavior);
 static bool FIRCLSMachExceptionRecord(FIRCLSMachExceptionReadContext* context,
-                                      MachExceptionProtectedMessage* message);
-static void FIRCLSCrashedThreadLookup(MachExceptionProtectedMessage* message, thread_t* crashedThread);
+                                      MachExceptionMessage* message);
+static void FIRCLSCrashedThreadLookup(MachExceptionMessage* message, thread_t* crashedThread);
 #pragma mark - Initialization
 void FIRCLSMachExceptionInit(FIRCLSMachExceptionReadContext* context) {
   if (!FIRCLSUnlinkIfExists(context->path)) {
@@ -58,7 +59,7 @@ void FIRCLSMachExceptionInit(FIRCLSMachExceptionReadContext* context) {
 
   if (!FIRCLSMachExceptionThreadStart(context)) {
     FIRCLSSDKLog("Unable to start thread\n");
-    FIRCLSMachExceptionUnregister(&context->originalPorts, context->mask);
+    FIRCLSMachExceptionUnregister(&context->originalPorts, context->mask, context->behavior);
   }
 }
 
@@ -166,7 +167,7 @@ static void* FIRCLSMachExceptionServer(void* argument) {
   pthread_setname_np("com.google.firebase.crashlytics.MachExceptionServer");
 
   while (1) {
-    MachExceptionProtectedMessage message;
+    MachExceptionMessage message;
 
     // read the exception message
     if (!FIRCLSMachExceptionReadMessage(context, &message)) {
@@ -188,12 +189,12 @@ static void* FIRCLSMachExceptionServer(void* argument) {
 }
 
 static bool FIRCLSMachExceptionReadMessage(FIRCLSMachExceptionReadContext* context,
-                                           MachExceptionProtectedMessage* message) {
+                                           MachExceptionMessage* message) {
   mach_msg_return_t r;
 
-  memset(message, 0, sizeof(MachExceptionProtectedMessage));
+  memset(message, 0, sizeof(MachExceptionMessage));
 
-  r = mach_msg(&message->head, MACH_RCV_MSG | MACH_RCV_LARGE, 0, sizeof(MachExceptionProtectedMessage),
+  r = mach_msg(&message->head, MACH_RCV_MSG | MACH_RCV_LARGE, 0, sizeof(MachExceptionMessage),
                context->port, MACH_MSG_TIMEOUT_NONE, MACH_PORT_NULL);
   if (r != MACH_MSG_SUCCESS) {
     FIRCLSSDKLog("Error receiving mach_msg (%d)\n", r);
@@ -206,25 +207,30 @@ static bool FIRCLSMachExceptionReadMessage(FIRCLSMachExceptionReadContext* conte
 }
 
 static kern_return_t FIRCLSMachExceptionDispatchMessage(FIRCLSMachExceptionReadContext* context,
-                                                        MachExceptionProtectedMessage* message) {
+                                                        MachExceptionMessage* message) {
   FIRCLSSDKLog("Mach exception: 0x%x, count: %d, code: 0x%llx 0x%llx\n", message->exception,
                message->codeCnt, message->codeCnt > 0 ? message->code[0] : -1,
                message->codeCnt > 1 ? message->code[1] : -1);
 
   // This will happen if a child process raises an exception, as the exception ports are
   // inherited.
   mach_port_t actual_port;
-  kern_return_t kr;
-  task_id_token_t token = message->task_id.name;
-  kr = task_identity_token_get_task_port(token, TASK_FLAVOR_CONTROL, &actual_port);
+  kern_return_t kr = KERN_SUCCESS;
+  if (context->behavior == EXCEPTION_DEFAULT){
+    actual_port = message->payload.default_payload.task.name;
+  } else {
+    // EXCEPTION_IDENTITY_PROTECTED
+    task_id_token_t token = message->payload.protected_payload.task_id_token.name;
+    kr = task_identity_token_get_task_port(token, TASK_FLAVOR_CONTROL, &actual_port);
+  }
 
   if (kr || actual_port != mach_task_self()) {
     FIRCLSSDKLog("Mach exception task mis-match, returning failure\n");
     return KERN_FAILURE;
   }
 
   FIRCLSSDKLog("Unregistering handler\n");
-  if (!FIRCLSMachExceptionUnregister(&context->originalPorts, context->mask)) {
+  if (!FIRCLSMachExceptionUnregister(&context->originalPorts, context->mask, context->behavior)) {
     FIRCLSSDKLog("Failed to unregister\n");
     return KERN_FAILURE;
   }
@@ -245,7 +251,7 @@ static kern_return_t FIRCLSMachExceptionDispatchMessage(FIRCLSMachExceptionReadC
 }
 
 static bool FIRCLSMachExceptionReply(FIRCLSMachExceptionReadContext* context,
-                                     MachExceptionProtectedMessage* message,
+                                     MachExceptionMessage* message,
                                      kern_return_t result) {
   MachExceptionReply reply;
   mach_msg_return_t r;
@@ -301,7 +307,7 @@ static bool FIRCLSMachExceptionRegister(FIRCLSMachExceptionReadContext* context)
 
   // ORing with MACH_EXCEPTION_CODES will produce 64-bit exception data
   kr = task_swap_exception_ports(task, context->mask, context->port,
-                                 EXCEPTION_IDENTITY_PROTECTED | MACH_EXCEPTION_CODES, THREAD_STATE_NONE,
+                                 context->behavior | MACH_EXCEPTION_CODES, THREAD_STATE_NONE,
                                  context->originalPorts.masks, &context->originalPorts.count,
                                  context->originalPorts.ports, context->originalPorts.behaviors,
                                  context->originalPorts.flavors);
@@ -320,7 +326,8 @@ static bool FIRCLSMachExceptionRegister(FIRCLSMachExceptionReadContext* context)
 }
 
 static bool FIRCLSMachExceptionUnregister(FIRCLSMachExceptionOriginalPorts* originalPorts,
-                                          exception_mask_t mask) {
+                                          exception_mask_t mask,
+                                          exception_behavior_t behavior) {
   kern_return_t kr;
 
   // Re-register all the old ports.
@@ -338,7 +345,7 @@ static bool FIRCLSMachExceptionUnregister(FIRCLSMachExceptionOriginalPorts* orig
 
   // Finally, mark any masks we registered for that do not have an original port as unused.
   kr = task_set_exception_ports(mach_task_self(), mask, MACH_PORT_NULL,
-                                EXCEPTION_IDENTITY_PROTECTED | MACH_EXCEPTION_CODES, THREAD_STATE_NONE);
+                                behavior | MACH_EXCEPTION_CODES, THREAD_STATE_NONE);
   if (kr != KERN_SUCCESS) {
     FIRCLSSDKLog("unable to unset unregistered mask: 0x%x", mask);
     return false;
@@ -477,7 +484,7 @@ void FIRCLSMachExceptionNameLookup(exception_type_t number,
 }
 
 static bool FIRCLSMachExceptionRecord(FIRCLSMachExceptionReadContext* context,
-                                      MachExceptionProtectedMessage* message) {
+                                      MachExceptionMessage* message) {
   if (!context || !message) {
     return false;
   }
@@ -526,7 +533,12 @@ static bool FIRCLSMachExceptionRecord(FIRCLSMachExceptionReadContext* context,
   FIRCLSFileWriteSectionEnd(&file);
 
   thread_t crashedThread;
-  FIRCLSCrashedThreadLookup(message, &crashedThread);
+  if (context->behavior == EXCEPTION_DEFAULT) {
+    crashedThread = message->payload.default_payload.thread.name;
+  } else {
+    // EXCEPTION_IDENTITY_PROTECTED
+    FIRCLSCrashedThreadLookup(message, &crashedThread);
+  }
   FIRCLSSDKLog("Crashed threads: %d\n", crashedThread);
   FIRCLSHandler(&file, crashedThread, NULL, true);
 
@@ -535,12 +547,12 @@ static bool FIRCLSMachExceptionRecord(FIRCLSMachExceptionReadContext* context,
   return true;
 }
 
-static void FIRCLSCrashedThreadLookup(MachExceptionProtectedMessage* message, thread_t* crashedThread) {
+static void FIRCLSCrashedThreadLookup(MachExceptionMessage* message, thread_t* crashedThread) {
   thread_act_array_t threadList;
   mach_msg_type_number_t threadCount;
 
   // last 64 bits include thread id info
-  MachExceptionProtectedThreadInfo protected_thread_info = *(MachExceptionProtectedThreadInfo *) &message->thread_id;
+  MachExceptionProtectedThreadInfo protected_thread_info = *(MachExceptionProtectedThreadInfo *) &message->payload.protected_payload.thread_id;
   kern_return_t kr = task_threads(mach_task_self(), &threadList, &threadCount);
 
   if (kr != KERN_SUCCESS) {
diff --git a/Crashlytics/Crashlytics/Handlers/FIRCLSMachException.h b/Crashlytics/Crashlytics/Handlers/FIRCLSMachException.h
@@ -27,19 +27,40 @@
 
 #pragma mark Structures
 #pragma pack(push, 4)
+
+typedef struct {
+  mach_msg_port_descriptor_t thread;
+  mach_msg_port_descriptor_t task;
+} MachDefaultPayload;
+
+typedef struct {
+  mach_msg_port_descriptor_t task_id_token;
+  mach_msg_port_descriptor_t thread_id;
+} MachProtectdPayload;
+
+union MachMessagePayload {
+  MachDefaultPayload default_payload;
+  MachProtectdPayload protected_payload;
+};
+
+// When set Mach port with default behavior:
+//    payload_1 including thread port
+//    payload_2 including task port
+// When set Mach port with identity protected behavior:
+//    payload_1 including task_id_token
+//    payload_2 including thread_id
 typedef struct {
   mach_msg_header_t head;
   /* start of the kernel processed data */
   mach_msg_body_t msgh_body;
-  mach_msg_port_descriptor_t task_id;
-  mach_msg_port_descriptor_t thread_id;
+  union MachMessagePayload payload;
   /* end of the kernel processed data */
   NDR_record_t NDR;
   exception_type_t exception;
   mach_msg_type_number_t codeCnt;
   mach_exception_data_type_t code[EXCEPTION_CODE_MAX];
   mach_msg_trailer_t trailer;
-} MachExceptionProtectedMessage;
+} MachExceptionMessage;
 
 typedef struct {
   uint64_t pad1;
@@ -68,6 +89,7 @@ typedef struct {
 
   exception_mask_t mask;
   FIRCLSMachExceptionOriginalPorts originalPorts;
+  exception_behavior_t behavior;
 } FIRCLSMachExceptionReadContext;
 
 #pragma mark - API
diff --git a/Crashlytics/Crashlytics/Helpers/FIRCLSContextInitData.h b/Crashlytics/Crashlytics/Helpers/FIRCLSContextInitData.h
@@ -28,6 +28,7 @@ NS_ASSUME_NONNULL_BEGIN
 @property(nonatomic, copy) NSString* betaToken;
 @property(nonatomic) BOOL errorsEnabled;
 @property(nonatomic) BOOL customExceptionsEnabled;
+@property(nonatomic) BOOL machProtectedEnabled;
 @property(nonatomic) uint32_t maxCustomExceptions;
 @property(nonatomic) uint32_t maxErrorLogSize;
 @property(nonatomic) uint32_t maxLogSize;
diff --git a/Crashlytics/Crashlytics/Models/FIRCLSSettings.h b/Crashlytics/Crashlytics/Models/FIRCLSSettings.h
@@ -30,7 +30,8 @@ NS_ASSUME_NONNULL_BEGIN
 - (instancetype)init NS_UNAVAILABLE;
 + (instancetype)new NS_UNAVAILABLE;
 - (instancetype)initWithFileManager:(FIRCLSFileManager *)fileManager
-                         appIDModel:(FIRCLSApplicationIdentifierModel *)appIDModel;
+                         appIDModel:(FIRCLSApplicationIdentifierModel *)appIDModel
+                            appInfo:(NSDictionary *)appInfo;
 
 /**
  * Recreates the settings dictionary by re-reading the settings file from persistent storage. This
@@ -78,6 +79,12 @@ NS_ASSUME_NONNULL_BEGIN
  */
 @property(nonatomic, readonly) BOOL customExceptionsEnabled;
 
+/**
+ * When this is true, Crashlytics will use EXCEPTION_IDENTITY_PROTECTED
+ * for mach exception handler instead of EXCEPTION_DEFAULT for default
+ */
+@property(nonatomic) BOOL machProtectedEnabled;
+
 /**
  * When this is true, Crashlytics will collect data from MetricKit
  */
diff --git a/Crashlytics/Crashlytics/Models/FIRCLSSettings.m b/Crashlytics/Crashlytics/Models/FIRCLSSettings.m
@@ -30,6 +30,8 @@
 NSString *const GoogleAppIDKey = @"google_app_id";
 NSString *const BuildInstanceID = @"build_instance_id";
 NSString *const AppVersion = @"app_version";
+NSString *const FirebaseCrashlyticsMachProtectedEnabledKey =
+    @"FirebaseCrashlyticsMachProtectedEnabled";
 
 @interface FIRCLSSettings ()
 
@@ -47,21 +49,33 @@ @interface FIRCLSSettings ()
 @implementation FIRCLSSettings
 
 - (instancetype)initWithFileManager:(FIRCLSFileManager *)fileManager
-                         appIDModel:(FIRCLSApplicationIdentifierModel *)appIDModel {
+                         appIDModel:(FIRCLSApplicationIdentifierModel *)appIDModel
+                            appInfo:(NSDictionary *)appInfo {
   return
       [self initWithFileManager:fileManager
                      appIDModel:appIDModel
+                        appInfo:(NSDictionary *)appInfo
                   deletionQueue:dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_BACKGROUND, 0)];
 }
 
 - (instancetype)initWithFileManager:(FIRCLSFileManager *)fileManager
                          appIDModel:(FIRCLSApplicationIdentifierModel *)appIDModel
+                            appInfo:(NSDictionary *)appInfo
                       deletionQueue:(dispatch_queue_t)deletionQueue {
   self = [super init];
   if (!self) {
     return nil;
   }
 
+  // config the mach exception message receiving behavior
+  self.machProtectedEnabled = false;
+  id crashlyticsMachProtectedEnabled =
+      [appInfo objectForKey:FirebaseCrashlyticsMachProtectedEnabledKey];
+  if ([crashlyticsMachProtectedEnabled isKindOfClass:[NSString class]] ||
+      [crashlyticsMachProtectedEnabled isKindOfClass:[NSNumber class]]) {
+    self.machProtectedEnabled = [crashlyticsMachProtectedEnabled boolValue];
+  }
+
   _fileManager = fileManager;
   _appIDModel = appIDModel;
 
