[lldb] Use get-task-allow entitlement on macOS too

[mysterymath]

Running the LLDB test suite in a GUI-less macOS environment (say, ssh) requires that the debugged tasks be signed with the get-task-allow entitlement.

NOTE: I'm not entirely sure why the LLDB macOS builders don't run into this; it could be something that occurs on newer macOS, or it could be that they have some global setting that prevents the debugger attachment check from firing.

[llvmbot]

@llvm/pr-subscribers-lldb

Author: Daniel Thornburgh (mysterymath)

Changes

Running the LLDB test suite in a GUI-less CI macOS environment requires that the debugged tasks be signed with the get-task-allow entitlement.

NOTE: I'm not entirely sure why the upstream macOS builders don't run into this; it could be something that occurs on newer macOS, or it could be that they have some global setting that prevents the debugger attachment check from firing.

---

Full diff: https://github.com/llvm/llvm-project/pull/71112.diff

2 Files Affected:

• (modified) lldb/packages/Python/lldbsuite/test/builders/darwin.py (+8-7)
• (added) lldb/packages/Python/lldbsuite/test/make/entitlements-macos.plist (+8)

diff --git a/lldb/packages/Python/lldbsuite/test/builders/darwin.py b/lldb/packages/Python/lldbsuite/test/builders/darwin.py
index 40dd13bcfdea1d6..a023bda3ad80103 100644
--- a/lldb/packages/Python/lldbsuite/test/builders/darwin.py
+++ b/lldb/packages/Python/lldbsuite/test/builders/darwin.py
@@ -88,17 +88,18 @@ def getExtraMakeArgs(self):
                 args["FRAMEWORK_INCLUDES"] = "-F{}".format(private_frameworks)
 
         operating_system, env = get_os_and_env()
-        if operating_system and operating_system != "macosx":
-            builder_dir = os.path.dirname(os.path.abspath(__file__))
-            test_dir = os.path.dirname(builder_dir)
+
+        builder_dir = os.path.dirname(os.path.abspath(__file__))
+        test_dir = os.path.dirname(builder_dir)
+        if not operating_system:
+            entitlements_file = "entitlements-macos.plist"
+        else:
             if env == "simulator":
                 entitlements_file = "entitlements-simulator.plist"
             else:
                 entitlements_file = "entitlements.plist"
-            entitlements = os.path.join(test_dir, "make", entitlements_file)
-            args["CODESIGN"] = "codesign --entitlements {}".format(entitlements)
-        else:
-            args["CODESIGN"] = "codesign"
+        entitlements = os.path.join(test_dir, "make", entitlements_file)
+        args["CODESIGN"] = "codesign --entitlements {}".format(entitlements)
 
         # Return extra args as a formatted string.
         return ["{}={}".format(key, value) for key, value in args.items()]
diff --git a/lldb/packages/Python/lldbsuite/test/make/entitlements-macos.plist b/lldb/packages/Python/lldbsuite/test/make/entitlements-macos.plist
new file mode 100644
index 000000000000000..9acd12816c91373
--- /dev/null
+++ b/lldb/packages/Python/lldbsuite/test/make/entitlements-macos.plist
@@ -0,0 +1,8 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+    <key>com.apple.security.get-task-allow</key>
+    <true/>
+</dict>
+</plist>

[JDevlieghere]

The nodes on GreenDragon run under a UI session so that might explain why we don't see that issue there. Is there any harm with using packages/Python/lldbsuite/test/make/entitlements.plist for macOS too? Does com.apple.private.security.no-sandbox cause issues?

[mysterymath]

The nodes on GreenDragon run under a UI session so that might explain why we don't see that issue there. Is there any harm with using packages/Python/lldbsuite/test/make/entitlements.plist for macOS too? Does com.apple.private.security.no-sandbox cause issues?

At least on my macOS Sonoma workstation, I get a Killed: 9 when I try to run a binary built by the LLDB test suite with entitlements.plist.