lldb ...

Jeremy Sequoia jeremyhu at apple.com
Sat Sep 10 17:56:08 PDT 2016 


Sent from my iPhone...

> On Sep 10, 2016, at 16:51, Rainer Müller <raimue at macports.org> wrote:
> 
> On 2016-09-10 17:52, Jeremy Huddleston Sequoia wrote:
>>> On OS X 10.10 Yosemite, signing only the ggdb binary was certainly 
>>> enough. I cannot reproduce this on macOS 10.12 Sierra, so the
>>> requirements might have changed.
>> 
>> 10.10 predates SIP and related hardening around ptrace().  That
>> version is so far in my rearview that I forget the details there,
>> sorry.  I'll have to dig into it, but it certainly seems wrong to me
>> that a process could become privileged if it linked against unsigned
>> libraries.
> 
> I would assume if we find a solution that passes the current
> restrictions on Sierra that will also work for older releases with less
> strict checking.
> 
> I got gdb to work now on Sierra now. In fact I did not even have to sign
> any of the libraries it links to.
> 
> 
> $ otool -L /opt/local/bin/ggdb |awk 'NR>1 {print $1}' \
>    |grep '^/opt/local' | xargs -I{} codesign -d -v {}
> /opt/local/lib/libintl.8.dylib: code object is not signed at all
> /opt/local/lib/libncurses.6.dylib: code object is not signed at all
> /opt/local/lib/libz.1.dylib: code object is not signed at all
> /opt/local/lib/libiconv.2.dylib: code object is not signed at all
> /opt/local/lib/libexpat.1.dylib: code object is not signed at all
> 
> $ /opt/local/bin/ggdb -q /opt/local/bin/curl
> Reading symbols from /opt/local/bin/curl...(no debugging symbols
> found)...done.
> (gdb) r
> Starting program: /opt/local/bin/curl
> warning: unhandled dyld version (15)
> curl: try 'curl --help' or 'curl --manual' for more information
> [Inferior 1 (process 6964) exited with code 02]
> (gdb) q

Hmm.  That isn't what I'd expect.  Gonna need to check why that is.  It looks like CS_RESTRICT isn't implying CS_HARD like I thought it should.


> 
> The main problem I encountered was that the setgid for the procmod group
> seems to interfere with the validation now. Once I removed that by
> changing the permissions to a regular 0755, I can use the code-signed
> ggdb just fine to debug other programs.
> 
> By the way, as I did lots of trial and error, is there a way to get
> debug output (from taskgated?) to see why task_for_pid() was denied?

Is it not being logged?  You should see it in the system log (Console.app, log collect, etc).

> 
> Rainer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.macosforge.org/pipermail/macports-dev/attachments/20160910/1946136f/attachment.html>

More information about the macports-dev mailing list