boostrap: Enable mksh by default on macOS 10.11+.

El Capitan (10.11) introduced System Integrity Protection (SIP), and one of
the side effects of this protection is that system shells (i.e. /bin/*sh)
unset any variables that may affect the security of the system.  This causes
problems with packages that rely on e.g. LD_LIBRARY_PATH.

Using a shell outside of the system paths allows us to work around this, at
least for now.

Tested in bulk builds on macOS Catalina, though with SIP disabled (as there
is no way to run sandboxed builds with SIP enabled).

1 files changed, 10 insertions, 1 deletions

diff --git a/bootstrap/bootstrap b/bootstrap/bootstrap
index 1797d279579..e87960ab8cd 100755
--- a/bootstrap/bootstrap
+++ b/bootstrap/bootstrap
@@ -1,6 +1,6 @@
 #! /bin/sh
 
-# $NetBSD: bootstrap,v 1.285 2020/07/06 10:25:29 jperkin Exp $
+# $NetBSD: bootstrap,v 1.286 2020/07/06 10:43:47 jperkin Exp $
 #
 # Copyright (c) 2001-2011 Alistair Crooks <agc@NetBSD.org>
 # All rights reserved.
@@ -589,6 +589,15 @@ Darwin)
 		need_sed=yes
 	fi
 
+	# Avoid system shells on macOS versions that enable System Integrity
+	# Protection (SIP) as it affects packages that rely on variables such
+	# as LD_LIBRARY_PATH.  SIP unsets any variables that may affect
+	# security when using system binaries, i.e. /bin/*sh, but using a
+	# non-system shell is unaffected, at least for now.
+	if [ $macos_version -ge 1011 ]; then
+		need_mksh=yes
+	fi
+
 	case "$macos_version" in
 	100[7-9])
 		packagemaker=/Applications/PackageMaker.app/Contents/MacOS/PackageMaker