[R-SIG-Mac] get-task-allow entitlement

[Simon Urbanek]

Gábor,

thanks. I will check the notarization process to see if Apple will allow it. There are some restrictions for processes that have get-task-allow entitlement, so if it is allowed I'll would ask for some more testing to make sure this doesn't affect something else in the R ecosystem. I agree that having to clear the entitlements to debug R is a bit of a pain.

Thanks,
Simon



> On 5/04/2022, at 4:59 AM, Gábor Csárdi <csardi.gabor using gmail.com> wrote:
> 
> Simon, I wonder if you would consider adding the get-task-allow
> entitlement to the R builds.
> 
> get-task-allow allows debugging with lldb or other debuggers, and also
> enables core dumps.
> 
> Apple suggests that you avoid get-task-allow in production builds:
> https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc
> However, they also note here that a legitimate use case for it is
> allowing the debugging of plugins, which is exactly the case we have
> for R:
> 
> "To enable debugging a plug-in in the context of a host executable,
> the host can include the com.apple.security.get-task-allow entitlement
> if it also includes the Disable Library Validation Entitlement. Don’t
> disable library validation for executables that don’t host plug-ins
> because library validation protects them from loading untrusted code."
> 
> R already has disable-library-validation of course.
> 
> FWIW node.js, which is a similar environment to R, in that it needs
> load extension packages, added this to their builds:
> https://github.com/nodejs/node/pull/34378
> https://github.com/nodejs/node/commit/b0e4970b8fe0dbd6bf437b3b06d0438d906ea94d
> 
> G.
> 
> _______________________________________________
> R-SIG-Mac mailing list
> R-SIG-Mac using r-project.org
> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
>