Ventura Permissions Issue (#2314) (#2371)

* Ventura Issue: monkey patch

* Apply the fix only on Mac

* Update internal/pkg/agent/cmd/enroll.go

Co-authored-by: Craig MacKenzie <craig.mackenzie@elastic.co>

* Adding changelog fragment

* Update changelog/fragments/1678553750-ventura-permission-issue.yaml

Co-authored-by: Craig MacKenzie <craig.mackenzie@elastic.co>

---------

Co-authored-by: Craig MacKenzie <craig.mackenzie@elastic.co>
(cherry picked from commit 6ed1e14)

Co-authored-by: Pierre HILBERT <pierre.hilbert@elastic.co>

changelog/fragments/1678553750-ventura-permission-issue.yaml

@@ -0,0 +1,32 @@
+# Kind can be one of:
+# - breaking-change: a change to previously-documented behavior
+# - deprecation: functionality that is being removed in a later release
+# - bug-fix: fixes a problem in a previous version
+# - enhancement: extends functionality but does not break or fix existing behavior
+# - feature: new functionality
+# - known-issue: problems that we are aware of in a given version
+# - security: impacts on the security of a product or a user’s deployment.
+# - upgrade: important information for someone upgrading from a prior version
+# - other: does not fit into any of the other categories
+kind: bug-fix
+
+# Change summary; a 80ish characters long description of the change.
+summary: Fix permission issue on MacOS Ventura and above when enrolling as part of the installation.
+
+# Long description; in case the summary is not enough to describe the change
+# this field accommodate a description without length limits.
+# NOTE: This field will be rendered only for breaking-change and known-issue kinds at the moment.
+#description:
+
+# Affected component; a word indicating the component this changeset affects.
+component: agent
+
+# PR URL; optional; the PR number that added the changeset.
+# If not present is automatically filled by the tooling finding the PR where this changelog fragment has been added.
+# NOTE: the tooling supports backports, so it's able to fill the original PR number instead of the backport PR number.
+# Please provide it if you are adding a fragment for a different PR.
+pr: https://github.com/elastic/elastic-agent/pull/2314
+
+# Issue URL; optional; the GitHub issue related to this changeset (either closes or is part of).
+# If not present is automatically filled by the tooling with the issue linked to the PR number.
+issue: https://github.com/elastic/elastic-agent/issues/2103

internal/pkg/agent/cmd/enroll.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/signal"
 	"path/filepath"
+	"runtime"
 	"strconv"
 	"strings"
 	"syscall"
@@ -320,6 +321,15 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 
 	ctx := handleSignal(context.Background())
 
+// On MacOS Ventura and above, fixing the permissions on enrollment during installation fails with the error:
+//  Error: failed to fix permissions: chown /Library/Elastic/Agent/data/elastic-agent-c13f91/elastic-agent.app: operation not permitted
+// This is because we are fixing permissions twice, once during installation and again during the enrollment step.
+// When we are enrolling as part of installation on MacOS, skip the second attempt to fix permissions.
+	var fixPermissions bool = fromInstall
+	if runtime.GOOS == "darwin" {
+		fixPermissions = false
+	}
+
 	options := enrollCmdOption{
 		EnrollAPIKey:         enrollmentToken,
 		URL:                  url,
@@ -328,7 +338,7 @@ func enroll(streams *cli.IOStreams, cmd *cobra.Command) error {
 		Insecure:             insecure,
 		UserProvidedMetadata: make(map[string]interface{}),
 		Staging:              staging,
-		FixPermissions:       fromInstall,
+		FixPermissions:       fixPermissions,
 		ProxyURL:             proxyURL,
 		ProxyDisabled:        proxyDisabled,
 		ProxyHeaders:         mapFromEnvList(proxyHeaders),