Re: [MacPorts] #66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new security features

MacPorts noreply at macports.org
Wed Nov 6 11:58:32 UTC 2024 

#66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new
security features
-------------------------+------------------------------------------
  Reporter:  reneeotten  |      Owner:  Clemens Lang <neverpanic@…>
      Type:  defect      |     Status:  reopened
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:
Resolution:              |   Keywords:  arm64 ventura sonoma sequoia
      Port:              |
-------------------------+------------------------------------------

Comment (by neverpanic):

 Replying to [comment:67 markmentovai]:
 > The message you’re quoting from the source (`bad bind opcode %d in bind
 info`) doesn’t even match the error you’re seeing (`dyld[20831]: bad bind
 opcode 0x1E`). You’re looking at super-old dyld source from an unofficial
 dump of Apple’s old opensource site ([https://github.com/opensource-apple/
 github opensource-apple]), from before Apple pushed source to GitHub
 directly. It’s showing dyld-360.18 from 10.11.2 (2015-12-08), and it
 hasn’t been current since 10.11.3 (2016-01-19). I recommend that everyone
 purge that unmaintained opensource-apple dump from their bookmarks and
 workflow, and never consult it for any purpose. It’s outdated and
 misleading.

 I noticed that after posting the comment, noticed that the correct version
 still had the same bug, and thus didn't bother to correct it here to avoid
 adding more noise to the signal.


 > The ones that handle 13 cases omit `BIND_OPCODE_THREADED`. The ones that
 handle 10 cases omit `BIND_OPCODE_ADD_ADDR_ULEB`,
 `BIND_OPCODE_DO_BIND_ADD_ADDR_ULEB`,
 `BIND_OPCODE_DO_BIND_ADD_ADDR_IMM_SCALED`, and
 `BIND_OPCODE_DO_BIND_ULEB_TIMES_SKIPPING_ULEB`.
 >
 > Given that we’re potentially putting an arm64e executable through a non-
 arm64e path, I’d first suspect a use of `BIND_OPCODE_THREADED`.

 Thanks, that information is very helpful. Is there some documentation that
 I'm not aware of that explains what `BIND_OPCODE_THREADED` actually does,
 and whether just stripping it from the binaries is a safe operation?


 > `BIND_OPCODE_THREADED` was for an earlier form of chained fixups (“old
 arm64e”), while the newer form just uses `LC_DYLD_CHAINED_FIXUPS` and is
 available beyond just arm64e. With additional effort, it may be possible
 to apply further translations to chained fixups in this format to make
 them work more broadly.
 >
 > Your log message is too truncated to dig deeper. Do you have a link?
 What executable is your test operating on when you observe this failure?
 What specific OS version?

 I'm seeing this in the macOS 14 CI run for the PR above, which is at
 https://github.com/macports/macports-
 base/actions/runs/11673868984/job/32505429280?pr=354.
 The OS version is macOS 14.7 23H124. The specific failure occurs close to
 the end of the "Test MacPorts Base" foldable section with the `/bin/ln`
 binary. For reasons that I haven't yet investigated this does not actually
 fail the run, even though the test definitely failed and it should have
 marked the build as failing.

 One instance is, for example:
 {{{
 system: /bin/ln -s ../../../../../../../../../..//Users/runner/work
 /macports-base/macports-base/src/darwintracelib1.0/tests//./stat symlink
 dyld[20334]: bad bind opcode 0x1E
 Command failed: /bin/ln -s
 ../../../../../../../../../..//Users/runner/work/macports-base/macports-
 base/src/darwintracelib1.0/tests//./stat symlink
 Killed by signal: 6
 Expected violation '/Users/runner/work/macports-base/macports-
 base/src/darwintracelib1.0/tests/stat' did not occur
 SANDBOX
   /Users/runner/work/macports-base/macports-
 base/src/darwintracelib1.0/tests/symlink=+
   /private/var/select/sh=+
   /bin/bash=+
   /bin=+
   /usr=+
   /dev=+
   /opt/local/var/macports/sip-workaround=+


 ==== darwintrace_relative_symlinks Test that resolution of relative
 symlinks works as expected FAILED
 ==== Contents of test case:
 exec -ignorestderr -- ./stat "$cwd/symlink" 2>@1
 ---- Test setup failed:
 command execution failed
 ---- errorInfo(setup): command execution failed
     while executing
 "system "/bin/ln -s $path symlink""
     ("uplevel" body line 6)
     invoked from within
 "uplevel 1 $setup"
 ---- errorCode(setup): CHILDKILLED 20334 SIGABRT SIGABRT
 ==== darwintrace_relative_symlinks FAILED
 }}}

 All invocations that fail use `/bin/ln`.

-- 
Ticket URL: <https://trac.macports.org/ticket/66358#comment:68>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list