diff --git a/changelog.d/2576.added.md b/changelog.d/2576.added.md new file mode 100644 index 00000000000..fcebe0edd37 --- /dev/null +++ b/changelog.d/2576.added.md @@ -0,0 +1 @@ +Added experimental.trust_any_certificate to enable making app trust any certificate on macOS \ No newline at end of file diff --git a/mirrord/config/src/experimental.rs b/mirrord/config/src/experimental.rs index d8239ef3095..56517f47782 100644 --- a/mirrord/config/src/experimental.rs +++ b/mirrord/config/src/experimental.rs @@ -10,22 +10,29 @@ use crate::config::source::MirrordConfigSource; #[config(map_to = "ExperimentalFileConfig", derive = "JsonSchema")] #[cfg_attr(test, config(derive = "PartialEq, Eq"))] pub struct ExperimentalConfig { - /// ## _experimental_ tcp_ping4_mock {#fexperimental-tcp_ping4_mock} + /// ## _experimental_ tcp_ping4_mock {#experimental-tcp_ping4_mock} /// /// #[config(default = true)] pub tcp_ping4_mock: bool, - /// ## _experimental_ readlink {#fexperimental-readlink} + /// ## _experimental_ readlink {#experimental-readlink} /// /// Enables the `readlink` hook. #[config(default = false)] pub readlink: bool, + + /// # _experimental_ trust_any_certificate {#experimental-trust_any_certificate} + /// + /// Enables trusting any certificate on macOS, useful for https://github.com/golang/go/issues/51991#issuecomment-2059588252 + #[config(default = false)] + pub trust_any_certificate: bool, } impl CollectAnalytics for &ExperimentalConfig { fn collect_analytics(&self, analytics: &mut mirrord_analytics::Analytics) { analytics.add("tcp_ping4_mock", self.tcp_ping4_mock); analytics.add("readlink", self.readlink); + analytics.add("trust_any_certificate", self.trust_any_certificate); } } diff --git a/mirrord/layer/src/lib.rs b/mirrord/layer/src/lib.rs index ea7242356ff..8865f91d140 100644 --- a/mirrord/layer/src/lib.rs +++ b/mirrord/layer/src/lib.rs @@ -112,6 +112,8 @@ mod macros; mod proxy_connection; mod setup; mod socket; +#[cfg(target_os = "macos")] +mod tls; #[cfg(all( any(target_arch = "x86_64", target_arch = "aarch64"), @@ -341,11 +343,7 @@ fn layer_start(mut config: LayerConfig) { SETUP.set(state).unwrap(); let state = setup(); - enable_hooks( - state.fs_config().is_active(), - state.remote_dns_enabled(), - state.sip_binaries(), - ); + enable_hooks(state); let _detour_guard = DetourGuard::new(); tracing::info!("Initializing mirrord-layer!"); @@ -475,7 +473,11 @@ fn sip_only_layer_start(mut config: LayerConfig, patch_binaries: Vec) { /// `true`, see [`NetworkConfig`](mirrord_config::feature::network::NetworkConfig), and /// [`hooks::enable_socket_hooks`](socket::hooks::enable_socket_hooks). #[mirrord_layer_macro::instrument(level = "trace")] -fn enable_hooks(enabled_file_ops: bool, enabled_remote_dns: bool, patch_binaries: Vec) { +fn enable_hooks(state: &LayerSetup) { + let enabled_file_ops = state.fs_config().is_active(); + let enabled_remote_dns = state.remote_dns_enabled(); + let patch_binaries = state.sip_binaries(); + let mut hook_manager = HookManager::default(); unsafe { @@ -526,6 +528,11 @@ fn enable_hooks(enabled_file_ops: bool, enabled_remote_dns: bool, patch_binaries exec_utils::enable_execve_hook(&mut hook_manager, patch_binaries) }; + #[cfg(target_os = "macos")] + if state.experimental().trust_any_certificate { + unsafe { tls::enable_tls_hooks(&mut hook_manager) }; + } + if enabled_file_ops { unsafe { file::hooks::enable_file_hooks(&mut hook_manager) }; }