git: e7f1ba7f6726 - stable/13 - Makefile.inc1: Support building with macOS Ventura's AMFI Launch Constraints

From: Jessica Clarke <jrtc27_at_FreeBSD.org>
Date: Tue, 01 Aug 2023 21:06:47 UTC
The branch stable/13 has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=e7f1ba7f6726049b264a4b1f7b838ab85a4cc265

commit e7f1ba7f6726049b264a4b1f7b838ab85a4cc265
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2023-03-03 02:15:30 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2023-08-01 20:42:53 +0000

    Makefile.inc1: Support building with macOS Ventura's AMFI Launch Constraints
    
    As of macOS Ventura, Apple-signed binaries cannot be run if copied away from
    their system location. This security feature doesn't really make sense for
    boring things like sh(1), more so for applications with special entitlements,
    but it's universally present, and results in the following error:
    
      >>> Install check world
      bmake[2]: "/Users/Jess/cheri/freebsd/Makefile.inc1" line 572: warning: "MAKEFLAGS= CPUTYPE=dummy /Users/Jess/cheri/build/freebsd-riscv64-build/bmake-install/bin/bmake -f /dev/null  -m /Users/Jess/cheri/freebsd/share/mk MK_AUTO_OBJ=no -V CPUTYPE" exited on a signal
      bmake[2]: "/Users/Jess/cheri/freebsd/Makefile.inc1" line 575: CPUTYPE global should be set with ?=.
    
    As with host-symlinks, we don't actually need to copy the files on macOS, since
    we're not updating the current machine, so copy its approach and just symlink
    them instead.
    
    MFC after:      1 week
    
    (cherry picked from commit dda4d97289f17aa8b2bbfd8d63a746b3a7836fd5)
---
 Makefile.inc1 | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/Makefile.inc1 b/Makefile.inc1
index 3f858b182238..118eb2115223 100644
--- a/Makefile.inc1
+++ b/Makefile.inc1
@@ -640,6 +640,18 @@ MKTEMP=${WORLDTMP}/legacy/usr/bin/mktemp
 MKTEMP=mktemp
 .endif
 INSTALLTMP!=	${MKTEMP} -d -u -t install
+
+.if ${.MAKE.OS} == "FreeBSD"
+# When building on FreeBSD we always copy the host tools instead of linking
+# into INSTALLTMP to avoid issues with incompatible libraries (see r364030).
+# Note: we could create links if we don't intend to update the current machine.
+INSTALLTMP_COPY_HOST_TOOL=cp
+.else
+# However, this is not necessary on Linux/macOS. Additionally, copying the host
+# tools to another directory with cp results in AMFI Launch Constraint
+# Violations on macOS Ventura as part of its System Integrity Protection.
+INSTALLTMP_COPY_HOST_TOOL=ln -s
+.endif
 .endif
 
 .if make(stagekernel) || make(distributekernel)
@@ -1394,7 +1406,7 @@ distributeworld installworld stageworld: _installcheck_world .PHONY
 			fi; \
 		    done); \
 	fi; \
-	cp $$libs $$progs ${INSTALLTMP}
+	${INSTALLTMP_COPY_HOST_TOOL} $$libs $$progs ${INSTALLTMP}
 	cp -R $${PATH_LOCALE:-"/usr/share/locale"} ${INSTALLTMP}/locale
 .if defined(NO_ROOT)
 	-mkdir -p ${METALOG:H}