From ade70fa89d539745824fc2bb9545cbaec07b48b1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miko=C5=82aj=20=C5=9Awi=C4=85tek?=
 <mail+sumo@mikolajswiatek.com>
Date: Wed, 15 Nov 2023 19:07:59 +0100
Subject: [PATCH] Set the right ACLs on system log files in the darwin package

---
 settings/otc.cmake                         |  1 +
 templates/hooks/common/darwin-functions.in | 10 ++++++++++
 templates/hooks/productbuild/preflight.in  |  1 +
 3 files changed, 12 insertions(+)

diff --git a/settings/otc.cmake b/settings/otc.cmake
index 165cc0d6..8f54c730 100644
--- a/settings/otc.cmake
+++ b/settings/otc.cmake
@@ -61,6 +61,7 @@ macro(set_otc_settings)
   # File paths
   set(SOURCE_OTC_BINARY_PATH "${SOURCE_OTC_BINARY_DIR}/${OTC_BINARY}")
   set(GH_ARTIFACT_OTC_BINARY_PATH "${GH_ARTIFACTS_DIR}/${GH_OUTPUT_OTC_BIN}")
+  set(ACL_LOG_FILE_PATHS "/var/log")
 
   ##
   # Other
diff --git a/templates/hooks/common/darwin-functions.in b/templates/hooks/common/darwin-functions.in
index b26b2748..986f865d 100644
--- a/templates/hooks/common/darwin-functions.in
+++ b/templates/hooks/common/darwin-functions.in
@@ -179,3 +179,13 @@ create_user_and_group_if_missing()
     # Add user to group if the user is not a member
     add_user_to_group_if_missing "$group" "$user"
 }
+
+# Allow our group to read the supplied log paths
+set_acl_on_log_paths()
+{
+    local group="$1"
+    local acl_log_file_paths="$2"
+    for log_path in ${acl_log_file_paths}; do
+        chmod -R +a "group:$group allow read,readattr,readextattr" "$log_path"
+    done
+}
diff --git a/templates/hooks/productbuild/preflight.in b/templates/hooks/productbuild/preflight.in
index d242255f..e2a019f1 100644
--- a/templates/hooks/productbuild/preflight.in
+++ b/templates/hooks/productbuild/preflight.in
@@ -8,5 +8,6 @@
 @common_darwin_functions@
 
 create_user_and_group_if_missing "@SERVICE_USER@" "@SERVICE_GROUP@"
+set_acl_on_log_paths "@SERVICE_GROUP@" "@ACL_LOG_FILE_PATHS@"
 
 exit 0