diff --git a/packages/browseros/build/common/server_binaries.py b/packages/browseros/build/common/server_binaries.py index 20a6ca879..e15db3b54 100644 --- a/packages/browseros/build/common/server_binaries.py +++ b/packages/browseros/build/common/server_binaries.py @@ -30,7 +30,7 @@ class SignSpec: ), "bun": SignSpec("bun", "runtime", "browseros-executable-entitlements.plist"), "rg": SignSpec("rg", "runtime"), - "limactl": SignSpec("limactl", "runtime"), + "limactl": SignSpec("limactl", "runtime", "lima-vz-entitlements.plist"), } diff --git a/packages/browseros/build/common/server_binaries_test.py b/packages/browseros/build/common/server_binaries_test.py index f258bb0f7..b41e2891b 100644 --- a/packages/browseros/build/common/server_binaries_test.py +++ b/packages/browseros/build/common/server_binaries_test.py @@ -1,6 +1,7 @@ #!/usr/bin/env python3 """Tests for the shared server-binary sign table.""" +import plistlib import unittest from pathlib import Path @@ -33,6 +34,15 @@ def test_macos_sign_spec_for_resolves_by_stem(self): self.assertEqual(spec.identifier_suffix, "limactl") self.assertIsNone(macos_sign_spec_for(Path("/x/not_a_known_binary"))) + def test_limactl_uses_vz_entitlement(self): + entitlements_name = "lima-vz-entitlements.plist" + spec = macos_sign_spec_for(Path("/x/limactl")) + assert spec is not None + self.assertEqual(spec.entitlements, entitlements_name) + + entitlements = plistlib.loads((ENTITLEMENTS_DIR / entitlements_name).read_bytes()) + self.assertIs(entitlements.get("com.apple.security.virtualization"), True) + def test_matches_lima_bundle_layout(self): keys = set(MACOS_SERVER_BINARIES.keys()) self.assertIn("limactl", keys) diff --git a/packages/browseros/resources/entitlements/lima-vz-entitlements.plist b/packages/browseros/resources/entitlements/lima-vz-entitlements.plist new file mode 100644 index 000000000..00ffd62aa --- /dev/null +++ b/packages/browseros/resources/entitlements/lima-vz-entitlements.plist @@ -0,0 +1,8 @@ + + + + + com.apple.security.virtualization + + +