Debugging Entitlements are disabled on macOS

[jiawen]

common_info.md lists under Debugging Entitlement Support that one can enable the debugging entitlement via a --define. However, it does not say on which platforms it is enabled.

After some digging, at "top level", it only referenced by:

• macos_application
• macos_bundle
• macos_extension
• macos_quick_look_plugin
• macos_kernel_extension
• macos_spotlight_importer
• macos_xpc_service

Notably, macos_command_line_application is not on that list.

Digging further, these rules call _process_entitlements, which in turn calls _include_debug_entitlements, and skips macOS entirely.

The comment in _include_debug_entitlements clearly says that it is not used in macOS but does not indicate why. There is one concrete use case for it: Instruments profiling. Without the get-task-allow entitlement, you get binaries that throw mysterious "Failed to gain Authorization" (or occasionally the even weirder "Required kernel recording resources are in use by another document.") errors.

• StackOverflow
• Apple Developer Forum workaround
• Detailed blog post on the workaround

I have confirmed that the workaround works with both macos_command_line_application and even cc_binary.

[keith]

nice investigation! seems like we should add it there