[MacPorts] #66358: sip-workaround no longer works on arm64 macOS 13 Ventura due to new security features
MacPorts
noreply at macports.org
Fri Dec 15 20:06:23 UTC 2023
#66358: sip-workaround no longer works on arm64 macOS 13 Ventura due to new
security features
-------------------------+-----------------------------------------
Reporter: reneeotten | Owner: Clemens Lang <neverpanic@…>
Type: defect | Status: reopened
Priority: Normal | Milestone:
Component: base | Version:
Resolution: | Keywords: ventura
Port: |
-------------------------+-----------------------------------------
Comment (by neverpanic):
Replying to [comment:51 kencu]:
> Comes to mind we don't really care about tracing the things in /usr/bin
or /bin anyway...
That isn't correct, unless you want to allow binaries in /usr/bin or
binaries executed through a binary in /usr/bin to allow arbitrary
unfiltered access to the filesystem. Those include /usr/bin/clang (which
we really want to trace) as well as /usr/bin/make, which will execute most
of our build steps, or /bin/sh, which will run essentially all build
scripts.
That's required because running any binary with system integrity
protection will remove all `DYLD_*` variables, including the
`DYLD_INSERT_LIBRARIES` we rely on for trace mode. In other words, the
moment we run `/usr/bin/make` or `/bin/sh`, everything started by those
will also automatically be untraced.
> What we really care about are opportunistically found ports in
${prefix}.
Yes, but those aren't found by programs in $prefix.
> Even just having trace mode work only on the things in ${prefix} would
be a huge step forward...
No, that will likely just lead to build failures, because the view of the
filesystem is suddenly no longer consistent. The same binary would behave
different depending on whether it is run directly or through `/bin/sh`.
--
Ticket URL: <https://trac.macports.org/ticket/66358#comment:52>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list