Unset DYLD_INSERT_BINARIES when unneeded

Previously, the tracer environment variables were set for the
current process, and for future steps, in the init action. In
certain scenarios (such as on MacOS ARM runners with System
Integrity Protection disabled), these environment variables are
not unset by the system. In particular, the `DYLD_INSERT_BINARIES`
variable interferes with later system calls.

This change unsets the `DYLD_INSERT_BINARIES` variable for the
current process in init. It also unsets the variables either at the
beginning of autobuild, or analyze, if autobuild has not run.

src/analyze-action.ts

@@ -32,6 +32,7 @@ import {
   getActionsStatus,
   StatusReportBase,
 } from "./status-report";
+import { unsetTracerEnvVarForCurrentProcess } from "./tracer-config";
 import {
   cleanupTrapCaches,
   getTotalCacheSize,
@@ -188,6 +189,11 @@ async function runAutobuildIfLegacyGoWorkflow(config: Config, logger: Logger) {
 }
 
 async function run() {
+  // If the autobuild Action already ran, we have already unset this environment variable.
+  if (process.env[EnvVar.AUTOBUILD_DID_COMPLETE_SUCCESSFULLY] !== "true") {
+    unsetTracerEnvVarForCurrentProcess();
+  }
+
   const startedAt = new Date();
   let uploadResult: UploadResult | undefined = undefined;
   let runStats: QueriesStatusReport | undefined = undefined;

src/autobuild-action.ts

@@ -19,7 +19,10 @@ import {
   sendStatusReport,
   ActionName,
 } from "./status-report";
-import { endTracingForCluster } from "./tracer-config";
+import {
+  endTracingForCluster,
+  unsetTracerEnvVarForCurrentProcess,
+} from "./tracer-config";
 import {
   checkActionVersion,
   checkDiskUsage,
@@ -73,6 +76,8 @@ async function run() {
   let currentLanguage: Language | undefined;
   let languages: Language[] | undefined;
   try {
+    unsetTracerEnvVarForCurrentProcess();
+
     const statusReportBase = await createStatusReportBase(
       ActionName.Autobuild,
       "starting",

src/environment.ts

@@ -26,6 +26,8 @@ export enum EnvVar {
    */
   DISABLE_DUPLICATE_LOCATION_FIX = "CODEQL_ACTION_DISABLE_DUPLICATE_LOCATION_FIX",
 
+  DYLD_INSERT_BINARIES = "DYLD_INSERT_BINARIES",
+
   /**
    * Whether the CodeQL Action is using its own deprecated and non-standard way of scanning for
    * multiple languages.

src/init-action.ts

@@ -44,6 +44,7 @@ import {
   sendStatusReport,
 } from "./status-report";
 import { ToolsFeature } from "./tools-features";
+import { unsetTracerEnvVarForCurrentProcess } from "./tracer-config";
 import { getTotalCacheSize } from "./trap-caching";
 import {
   checkDiskUsage,
@@ -614,6 +615,10 @@ async function run() {
       for (const [key, value] of Object.entries(tracerConfig.env)) {
         core.exportVariable(key, value);
       }
+      // core.exportVariable() sets the environment variables for the current step as well as
+      // future steps. We unset the the DYLD_INSERT_BINARIES variable for the current process
+      // to prevent interference with later system calls.
+      unsetTracerEnvVarForCurrentProcess();
     }
 
     // Write diagnostics to the database that we previously stored in memory because the database

src/tracer-config.ts

@@ -3,6 +3,7 @@ import * as path from "path";
 
 import { type CodeQL } from "./codeql";
 import { type Config } from "./config-utils";
+import { EnvVar } from "./environment";
 import { isTracedLanguage } from "./languages";
 import { Logger } from "./logging";
 import { ToolsFeature } from "./tools-features";
@@ -128,3 +129,12 @@ export async function getCombinedTracerConfig(
 
   return mainTracerConfig;
 }
+
+/**
+ * Unsets the DYLD_INSERT_BINARIES environment variable for the current process.
+ * This method is called to prevent the environment variable from interfering with
+ * later system calls in this process.
+ */
+export function unsetTracerEnvVarForCurrentProcess(): void {
+  delete process.env[EnvVar.DYLD_INSERT_BINARIES];
+}