SERVER-75033 Capture core dumps from test failures on macOS

GitOrigin-RevId: 0a181cf0e0488fc279b9da65fe9f3b0be9b48b27

buildscripts/sign_macos_binaries_for_testing.py

@@ -0,0 +1,45 @@
+"""
+Signs all of the known testing binaries with insecure development entitlements.
+
+Specifically the `Get Task Allow` is what we are looking for.
+Adding the `Get Task Allow` entitlement allows us to attach to 
+the mongo processes and get core dumps/debug in any way we need.
+You can view some more documentation on this topic here:
+https://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_cs_debugger#discussion
+"""
+
+import os
+import subprocess
+import sys
+
+from buildscripts.resmokelib.hang_analyzer.gen_hang_analyzer_tasks import LOCAL_BIN_DIR, MULTIVERSION_BIN_DIR
+
+
+def main():
+    if sys.platform != "darwin":
+        print("Non-macos system detected, do not need to sign binaries.")
+        sys.exit(0)
+
+    build_bin_dir = os.path.join("build", "install", "bin")
+    binary_directories = [MULTIVERSION_BIN_DIR, LOCAL_BIN_DIR, build_bin_dir]
+    entitlements_file = os.path.abspath(os.path.join("etc", "macos_dev_entitlements.xml"))
+    assert os.path.exists(entitlements_file), f"{entitlements_file} does not exist"
+
+    for binary_dir in binary_directories:
+        if not os.path.exists(binary_dir):
+            continue
+
+        for binary in os.listdir(binary_dir):
+            binary_path = os.path.join(binary_dir, binary)
+            if not os.path.isfile(binary_path):
+                continue
+
+            print(f"Signing {binary}")
+            subprocess.run([
+                "/usr/bin/codesign", "-s", "-", "-f", "--entitlements", entitlements_file,
+                binary_path
+            ], check=True)
+
+
+if __name__ == '__main__':
+    main()

etc/evergreen_yml_components/definitions.yml

@@ -1016,6 +1016,14 @@ functions:
       args:
       - "./src/evergreen/powercycle_sentinel_run.sh"
 
+  "sign macos dev binaries": &sign_macos_dev_binaries
+    command: subprocess.exec
+    params:
+      binary: bash
+      args:
+      - "src/evergreen/run_python_script.sh"
+      - "buildscripts/sign_macos_binaries_for_testing.py"
+
   "execute resmoke tests": &execute_resmoke_tests
     command: subprocess.exec
     type: test
@@ -1218,6 +1226,7 @@ functions:
   - *update_task_timeout_expansions
   - *update_task_timeout
   - *f_expansions_write
+  - *sign_macos_dev_binaries
   - command: subprocess.exec
     params:
       binary: bash
@@ -1267,6 +1276,7 @@ functions:
   - *update_resmoke_jobs_expansions
   - *f_expansions_write
   - *configure_evergreen_api_credentials
+  - *sign_macos_dev_binaries
   - command: subprocess.exec
     params:
       binary: bash
@@ -2982,6 +2992,7 @@ tasks:
       - "./etc/evergreen_yml_components/**"
       - "./etc/repo_config.yaml"
       - "./etc/scons/**"
+      - "./etc/macos_dev_entitlements.xml"
       - "docker_compose/**"
       - "buildscripts/**"
       - "jstests/**"

etc/macos_dev_entitlements.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+  <dict>
+    <key>com.apple.security.cs.allow-unsigned-executable-memory</key><true/>
+    <!--The get-task-allow entitlement is insecure and must only be used in dev environments-->
+    <key>com.apple.security.get-task-allow</key><true/>
+  </dict>
+</plist>