[MacPorts] #66358: sip-workaround no longer works on macOS 13 Ventura due to new security features

MacPorts noreply at macports.org
Fri Jul 7 07:09:48 UTC 2023 

#66358: sip-workaround no longer works on macOS 13 Ventura due to new security
features
-------------------------+---------------------
  Reporter:  reneeotten  |      Owner:  (none)
      Type:  defect      |     Status:  new
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:
Resolution:              |   Keywords:  ventura
      Port:              |
-------------------------+---------------------

Comment (by linuxgemini):

 It is ''tomorrow'', so I tried trace mode again with `proxmark3-iceman`;
 still no dice:

 {{{
 :info:extract Executing:  cd "/opt/local/var/macports/build/_Users_ilteris
 .eroglu_Projects_macports-
 ports_science_proxmark3-iceman/proxmark3-iceman/work" && /usr/bin/gzip -dc
 '/opt/local/var/macports/distfiles/proxmark3-iceman/proxmark3-4.16717.tar.gz'
 | /usr/bin/tar -xf -
 :debug:extract system:  cd "/opt/local/var/macports/build/_Users_ilteris
 .eroglu_Projects_macports-
 ports_science_proxmark3-iceman/proxmark3-iceman/work" && /usr/bin/gzip -dc
 '/opt/local/var/macports/distfiles/proxmark3-iceman/proxmark3-4.16717.tar.gz'
 | /usr/bin/tar -xf -
 :info:extract Command failed:  cd
 "/opt/local/var/macports/build/_Users_ilteris.eroglu_Projects_macports-
 ports_science_proxmark3-iceman/proxmark3-iceman/work" && /usr/bin/gzip -dc
 '/opt/local/var/macports/distfiles/proxmark3-iceman/proxmark3-4.16717.tar.gz'
 | /usr/bin/tar -xf -
 :info:extract Killed by signal: 9
 :error:extract Failed to extract proxmark3-iceman: command execution
 failed
 :debug:extract Error code: NONE
 :debug:extract Backtrace: command execution failed
 :debug:extract     while executing
 :debug:extract "$procedure $targetname"
 :error:extract See /opt/local/var/macports/logs/_Users_ilteris
 .eroglu_Projects_macports-
 ports_science_proxmark3-iceman/proxmark3-iceman/main.log for details.
 }}}

 {{{
 default 09:56:59.075368+0300    kernel  AMFI: Launch Constraint Violation
 (enforcing), error info: c[1]p[1]m[1]e[3], (Constraint not matched)
 launching proc[vc: 1 pid: 80195]: /opt/local/var/macports/sip-
 workaround/503/usr/bin/sandbox-exec, launch type 0, failure proc [vc: 1
 pid: 80195]: /opt/local/var/macports/sip-workaround/503/usr/bin/sandbox-
 exec
 default 09:56:59.075443+0300    kernel  ASP: Security policy would not
 allow process: 80195, /opt/local/var/macports/sip-workaround/503/usr/bin
 /sandbox-exec
 default 09:56:59.075544+0300    kernel  sandbox-exec[80195] Corpse allowed
 1 of 5
 default 09:56:59.093028+0300    ReportCrash     Formulating fatal 309
 report for corpse[80195] sandbox-exec
 default 09:56:59.113785+0300    osanalyticshelper       creating type 309
 as /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/.sandbox-
 exec-2023-07-07-095659.ips
 default 09:56:59.138890+0300    osanalyticshelper       Saved type
 '309(<private>)' report (2 of max 25) at
 /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/sandbox-
 exec-2023-07-07-095659.ips
 default 09:56:59.139312+0300    ReportCrash     client log create type 309
 result success: /Users/ilteris.eroglu/Library/Logs/DiagnosticReports
 /sandbox-exec-2023-07-07-095659.ips
 default 09:56:59.139370+0300    ReportCrash     no MetricKit for process
 sandbox-exec type 309 bundleId (null)
 default 09:56:59.139173+0300    osanalyticshelper       xpc log creation
 type 309 result success:
 /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/sandbox-
 exec-2023-07-07-095659.ips
 }}}

 ----

 Using an ad-hoc certificate to re-sign still works:

 {{{
 ~ ❯ cp /usr/bin/make ./make
 ~ ❯
 ~ ❯ /usr/bin/make --version
 GNU Make 3.81
 Copyright (C) 2006  Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.

 This program built for i386-apple-darwin11.3.0
 ~ ❯
 ~ ❯ ./make --version
 [1]    80407 killed     ./make --version
 ~ ❯
 ~ ❯ codesign --preserve-metadata=entitlements --force --verbose --sign
 "test_codesign" ./make
 ./make: replacing existing signature
 ./make: signed Mach-O universal (x86_64 arm64e) [com.apple.dt.xcode_select
 .tool-shim]
 ~ ❯
 ~ ❯ ./make --version
 GNU Make 3.81
 Copyright (C) 2006  Free Software Foundation, Inc.
 This is free software; see the source for copying conditions.
 There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
 PARTICULAR PURPOSE.

 This program built for i386-apple-darwin11.3.0
 ~ ❯
 }}}

 This is my work Mac, so SIP is always enabled and there's multiple EDR and
 DLP solutions installed.

-- 
Ticket URL: <https://trac.macports.org/ticket/66358#comment:36>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list