Enable debugging of a hardened process on macOS

Add the com.apple.security.get-task-allow entitlement when not
building for release.

Change-Id: I1b05d8c48f0f2d587325d7dfc800bb4880a7fcaf
Reviewed-on: https://gerrit.libreoffice.org/c/core/+/93159
Tested-by: Tor Lillqvist <tml@collabora.com>
Reviewed-by: Tor Lillqvist <tml@collabora.com>

2 files changed, 8 insertions, 0 deletions

diff --git a/configure.ac b/configure.ac
index 630518875e9b..1c7dff3f5d0d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -2334,11 +2334,17 @@ AC_MSG_CHECKING([whether build target is Release Build])
 if test "$enable_release_build" = "" -o "$enable_release_build" = "no"; then
     AC_MSG_RESULT([no])
     ENABLE_RELEASE_BUILD=
+    GET_TASK_ALLOW_ENTITLEMENT='
+        <!-- We want to be able to debug a hardened process when not building for release -->
+        <key>com.apple.security.get-task-allow</key>
+        <true/>'
 else
     AC_MSG_RESULT([yes])
     ENABLE_RELEASE_BUILD=TRUE
+    GET_TASK_ALLOW_ENTITLEMENT=''
 fi
 AC_SUBST(ENABLE_RELEASE_BUILD)
+AC_SUBST(GET_TASK_ALLOW_ENTITLEMENT)
 
 dnl ===================================================================
 dnl Test whether to sign Windows Build
@@ -13400,6 +13406,7 @@ AC_CONFIG_FILES([config_host.mk
                  bin/bffvalidator.sh
                  bin/odfvalidator.sh
                  bin/officeotron.sh
+                 hardened_runtime.xcent
                  instsetoo_native/util/openoffice.lst
                  sysui/desktop/macosx/Info.plist])
 AC_CONFIG_HEADERS([config_host/config_buildid.h])
diff --git a/hardened_runtime.xcent b/hardened_runtime.xcent.in
index 7443f3c3ae55..d270c93ec694 100644
--- a/hardened_runtime.xcent
+++ b/hardened_runtime.xcent.in
@@ -11,5 +11,6 @@
         <!-- allow use of third-party plugins/frameworks (aka Java) -->
         <key>com.apple.security.cs.disable-library-validation</key>
         <true/>
+        @GET_TASK_ALLOW_ENTITLEMENT@
     </dict>
 </plist>