[R-SIG-Mac] get-task-allow entitlement
Simon Urbanek
@|mon@urb@nek @end|ng |rom R-project@org
Wed Apr 6 11:07:40 CEST 2022
Gábor,
thanks, I have enabled the get-task-allow entitlement in the nightly builds so next round should have it enabled. I have tested it and Apple has notarized the resulting package so it should be ok.
Cheers,
Simon
> On Apr 5, 2022, at 7:28 PM, Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>
> Thanks! node.js is notarized with these entitlements, so I am fairly
> sure that Apple will allow it.
>
> I have re-signed all my R installations and added this entitlement
> some time ago, and haven't seen any issues so far. But yeah, that is
> not much testing at all.
>
> Btw. if anyone wants to add it to already installed R versions, it
> goes like this. Replace the version number (installation directory) as
> needed:
> codesign -d --xml --entitlements -
> /Library/Frameworks/R.framework/Versions/4.1-arm64/Resources/bin/exec/R
>> ~/r.entitlements
> /usr/libexec/PlistBuddy -c "Add :com.apple.security.get-task-allow
> bool true" ~/r.entitlements
> sudo codesign -s - -f --entitlements ~/r.entitlements
> /Library/Frameworks/R.framework/Versions/4.1-arm64/Resources/bin/exec/R
>
> I have also added this to https://github.com/gaborcsardi/rim so you can run
> rim system allow-debugger --all
> to update all installed versions of R.
>
> Thanks for considering this,
> G.
>
> On Tue, Apr 5, 2022 at 1:04 AM Simon Urbanek
> <simon.urbanek using r-project.org> wrote:
>>
>> Gábor,
>>
>> thanks. I will check the notarization process to see if Apple will allow it. There are some restrictions for processes that have get-task-allow entitlement, so if it is allowed I'll would ask for some more testing to make sure this doesn't affect something else in the R ecosystem. I agree that having to clear the entitlements to debug R is a bit of a pain.
>>
>> Thanks,
>> Simon
>>
>>
>>
>>> On 5/04/2022, at 4:59 AM, Gábor Csárdi <csardi.gabor using gmail.com> wrote:
>>>
>>> Simon, I wonder if you would consider adding the get-task-allow
>>> entitlement to the R builds.
>>>
>>> get-task-allow allows debugging with lldb or other debuggers, and also
>>> enables core dumps.
>>>
>>> Apple suggests that you avoid get-task-allow in production builds:
>>> https://developer.apple.com/documentation/security/notarizing_macos_software_before_distribution/resolving_common_notarization_issues?language=objc
>>> However, they also note here that a legitimate use case for it is
>>> allowing the debugging of plugins, which is exactly the case we have
>>> for R:
>>>
>>> "To enable debugging a plug-in in the context of a host executable,
>>> the host can include the com.apple.security.get-task-allow entitlement
>>> if it also includes the Disable Library Validation Entitlement. Don’t
>>> disable library validation for executables that don’t host plug-ins
>>> because library validation protects them from loading untrusted code."
>>>
>>> R already has disable-library-validation of course.
>>>
>>> FWIW node.js, which is a similar environment to R, in that it needs
>>> load extension packages, added this to their builds:
>>> https://github.com/nodejs/node/pull/34378
>>> https://github.com/nodejs/node/commit/b0e4970b8fe0dbd6bf437b3b06d0438d906ea94d
>>>
>>> G.
>>>
>>> _______________________________________________
>>> R-SIG-Mac mailing list
>>> R-SIG-Mac using r-project.org
>>> https://stat.ethz.ch/mailman/listinfo/r-sig-mac
>>>
>>
>
More information about the R-SIG-Mac
mailing list