Hardened macOS binaries and libraries with the runtime hardened flag set on

[dferreiralopessc]

Currently, the ruby binary coming with td-agent is not hardened

> codesign -dv /opt/td-agent/bin/ruby
Executable=/opt/td-agent/bin/ruby
Identifier=ruby-5555494463eb77d3aef0307a949c84abf11e480c
Format=Mach-O thin (x86_64)
CodeDirectory v=20400 size=614 flags=0x2(adhoc) hashes=13+2 location=system
Signature=adhoc
Info.plist=not bound
TeamIdentifier=not set
Sealed Resources=none
Internal requirements count=0 size=12

The runtime hardened protection on macOS ensures processes started with runtime hardened protected binaries are not inspected or altered. As an example, it is possible to start the td-agent deamon and inspect the process with lldb.
More on hardened runtine protection can be found here

It is best practice to secure binaries and all libraries used by it with the hardened runtime protection to avoid unwanted parties to inspect memory and/or alter flow of execution.
The runtime flag can be set on a binary with

codesign -f -s 'apple_developper_certificate' --option=runtime /opt/td-agent/bin/ruby

This will also need to be done on other libraries used by the binary (ie: /opt/td-agent/lib/*.dylib).

Is this something we could do as part of the build process here for td-agent on macOS?