From c66f90f4255dffcdda6363bac033aef094a5e084 Mon Sep 17 00:00:00 2001 From: Trevor Guidry Date: Thu, 14 Dec 2023 16:57:19 +0000 Subject: [PATCH] SERVER-75033 Capture core dumps from test failures on macOS GitOrigin-RevId: 0a181cf0e0488fc279b9da65fe9f3b0be9b48b27 --- .../sign_macos_binaries_for_testing.py | 45 +++++++++++++++++++ etc/evergreen_yml_components/definitions.yml | 11 +++++ etc/macos_dev_entitlements.xml | 9 ++++ 3 files changed, 65 insertions(+) create mode 100644 buildscripts/sign_macos_binaries_for_testing.py create mode 100644 etc/macos_dev_entitlements.xml diff --git a/buildscripts/sign_macos_binaries_for_testing.py b/buildscripts/sign_macos_binaries_for_testing.py new file mode 100644 index 00000000000..ae3c0f65d3c --- /dev/null +++ b/buildscripts/sign_macos_binaries_for_testing.py @@ -0,0 +1,45 @@ +""" +Signs all of the known testing binaries with insecure development entitlements. + +Specifically the `Get Task Allow` is what we are looking for. +Adding the `Get Task Allow` entitlement allows us to attach to +the mongo processes and get core dumps/debug in any way we need. +You can view some more documentation on this topic here: +https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_debugger#discussion +""" + +import os +import subprocess +import sys + +from buildscripts.resmokelib.hang_analyzer.gen_hang_analyzer_tasks import LOCAL_BIN_DIR, MULTIVERSION_BIN_DIR + + +def main(): + if sys.platform != "darwin": + print("Non-macos system detected, do not need to sign binaries.") + sys.exit(0) + + build_bin_dir = os.path.join("build", "install", "bin") + binary_directories = [MULTIVERSION_BIN_DIR, LOCAL_BIN_DIR, build_bin_dir] + entitlements_file = os.path.abspath(os.path.join("etc", "macos_dev_entitlements.xml")) + assert os.path.exists(entitlements_file), f"{entitlements_file} does not exist" + + for binary_dir in binary_directories: + if not os.path.exists(binary_dir): + continue + + for binary in os.listdir(binary_dir): + binary_path = os.path.join(binary_dir, binary) + if not os.path.isfile(binary_path): + continue + + print(f"Signing {binary}") + subprocess.run([ + "/usr/bin/codesign", "-s", "-", "-f", "--entitlements", entitlements_file, + binary_path + ], check=True) + + +if __name__ == '__main__': + main() diff --git a/etc/evergreen_yml_components/definitions.yml b/etc/evergreen_yml_components/definitions.yml index f5cdddd1f64..6f76268f76e 100644 --- a/etc/evergreen_yml_components/definitions.yml +++ b/etc/evergreen_yml_components/definitions.yml @@ -1016,6 +1016,14 @@ functions: args: - "./src/evergreen/powercycle_sentinel_run.sh" + "sign macos dev binaries": &sign_macos_dev_binaries + command: subprocess.exec + params: + binary: bash + args: + - "src/evergreen/run_python_script.sh" + - "buildscripts/sign_macos_binaries_for_testing.py" + "execute resmoke tests": &execute_resmoke_tests command: subprocess.exec type: test @@ -1218,6 +1226,7 @@ functions: - *update_task_timeout_expansions - *update_task_timeout - *f_expansions_write + - *sign_macos_dev_binaries - command: subprocess.exec params: binary: bash @@ -1267,6 +1276,7 @@ functions: - *update_resmoke_jobs_expansions - *f_expansions_write - *configure_evergreen_api_credentials + - *sign_macos_dev_binaries - command: subprocess.exec params: binary: bash @@ -2982,6 +2992,7 @@ tasks: - "./etc/evergreen_yml_components/**" - "./etc/repo_config.yaml" - "./etc/scons/**" + - "./etc/macos_dev_entitlements.xml" - "docker_compose/**" - "buildscripts/**" - "jstests/**" diff --git a/etc/macos_dev_entitlements.xml b/etc/macos_dev_entitlements.xml new file mode 100644 index 00000000000..6835b0eb04c --- /dev/null +++ b/etc/macos_dev_entitlements.xml @@ -0,0 +1,9 @@ + + + + + com.apple.security.cs.allow-unsigned-executable-memory + + com.apple.security.get-task-allow + +