SERVER-75033 Capture core dumps from test failures on macOS

GitOrigin-RevId: 0a181cf0e0488fc279b9da65fe9f3b0be9b48b27
2023-12-14 16:57:19 +00:00 · 2023-12-14 16:57:19 +00:00 · c66f90f425
parent b08623de2e
commit c66f90f425
3 changed files with 65 additions and 0 deletions
--- a/buildscripts/sign_macos_binaries_for_testing.py
+++ b/buildscripts/sign_macos_binaries_for_testing.py
@ -0,0 +1,45 @@
+"""
+Signs all of the known testing binaries with insecure development entitlements.
+
+Specifically the `Get Task Allow` is what we are looking for.
+Adding the `Get Task Allow` entitlement allows us to attach to 
+the mongo processes and get core dumps/debug in any way we need.
+You can view some more documentation on this topic here:
+https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_debugger#discussion
+"""
+
+import os
+import subprocess
+import sys
+
+from buildscripts.resmokelib.hang_analyzer.gen_hang_analyzer_tasks import LOCAL_BIN_DIR, MULTIVERSION_BIN_DIR
+
+
+def main():
+    if sys.platform != "darwin":
+        print("Non-macos system detected, do not need to sign binaries.")
+        sys.exit(0)
+
+    build_bin_dir = os.path.join("build", "install", "bin")
+    binary_directories = [MULTIVERSION_BIN_DIR, LOCAL_BIN_DIR, build_bin_dir]
+    entitlements_file = os.path.abspath(os.path.join("etc", "macos_dev_entitlements.xml"))
+    assert os.path.exists(entitlements_file), f"{entitlements_file} does not exist"
+
+    for binary_dir in binary_directories:
+        if not os.path.exists(binary_dir):
+            continue
+
+        for binary in os.listdir(binary_dir):
+            binary_path = os.path.join(binary_dir, binary)
+            if not os.path.isfile(binary_path):
+                continue
+
+            print(f"Signing {binary}")
+            subprocess.run([
+                "/usr/bin/codesign", "-s", "-", "-f", "--entitlements", entitlements_file,
+                binary_path
+            ], check=True)
+
+
+if __name__ == '__main__':
+    main()
--- a/etc/evergreen_yml_components/definitions.yml
+++ b/etc/evergreen_yml_components/definitions.yml
@ -1016,6 +1016,14 @@ functions:
      args:
      - "./src/evergreen/powercycle_sentinel_run.sh"

+  "sign macos dev binaries": &sign_macos_dev_binaries
+    command: subprocess.exec
+    params:
+      binary: bash
+      args:
+      - "src/evergreen/run_python_script.sh"
+      - "buildscripts/sign_macos_binaries_for_testing.py"
+
  "execute resmoke tests": &execute_resmoke_tests
    command: subprocess.exec
    type: test
@ -1218,6 +1226,7 @@ functions:
  - *update_task_timeout_expansions
  - *update_task_timeout
  - *f_expansions_write
+  - *sign_macos_dev_binaries
  - command: subprocess.exec
    params:
      binary: bash
@ -1267,6 +1276,7 @@ functions:
  - *update_resmoke_jobs_expansions
  - *f_expansions_write
  - *configure_evergreen_api_credentials
+  - *sign_macos_dev_binaries
  - command: subprocess.exec
    params:
      binary: bash
@ -2982,6 +2992,7 @@ tasks:
      - "./etc/evergreen_yml_components/**"
      - "./etc/repo_config.yaml"
      - "./etc/scons/**"
+      - "./etc/macos_dev_entitlements.xml"
      - "docker_compose/**"
      - "buildscripts/**"
      - "jstests/**"
--- a/etc/macos_dev_entitlements.xml
+++ b/etc/macos_dev_entitlements.xml
@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <!--The get-task-allow entitlement is insecure and must only be used in dev environments-->
+    <key>com.apple.security.get-task-allow</key><true/>
+  </dict>
+</plist>