[R-SIG-Mac] get-task-allow entitlement

Gábor Csárdi c@@rd|@g@bor @end|ng |rom gm@||@com
Mon Apr 4 18:59:10 CEST 2022


Simon, I wonder if you would consider adding the get-task-allow
entitlement to the R builds.

get-task-allow allows debugging with lldb or other debuggers, and also
enables core dumps.

Apple suggests that you avoid get-task-allow in production builds:
https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc
However, they also note here that a legitimate use case for it is
allowing the debugging of plugins, which is exactly the case we have
for R:

"To enable debugging a plug-in in the context of a host executable,
the host can include the com.apple.security.get-task-allow entitlement
if it also includes the Disable Library Validation Entitlement. Don’t
disable library validation for executables that don’t host plug-ins
because library validation protects them from loading untrusted code."

R already has disable-library-validation of course.

FWIW node.js, which is a similar environment to R, in that it needs
load extension packages, added this to their builds:
https://github.com/nodejs/node/pull/34378
https://github.com/nodejs/node/commit/b0e4970b8fe0dbd6bf437b3b06d0438d906ea94d

G.



More information about the R-SIG-Mac mailing list