Re: [MacPorts] #66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new security features

MacPorts noreply at macports.org
Wed Sep 25 19:54:48 UTC 2024


#66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new
security features
-------------------------+-----------------------------------------
  Reporter:  reneeotten  |      Owner:  Clemens Lang <neverpanic@…>
      Type:  defect      |     Status:  reopened
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:
Resolution:              |   Keywords:  arm64 ventura sonoma
      Port:              |
-------------------------+-----------------------------------------

Comment (by markmentovai):

 In many cases, it ought to be possible to reset the
 `mach_header_64::cpusubtype` from `CPU_SUBTYPE_ARM64E` to
 `CPU_SUBTYPE_ARM64_ALL` (0), and then re-sign. PAC instructions
 essentially become no-op under arm64 (as opposed to arm64e).

 This may be feasible if you’re not trying to run anything with a
 restricted entitlement.

 {{{
 mark at arm-and-hammer zsh% sw_vers
 ProductName:            macOS
 ProductVersion:         15.0
 BuildVersion:           24A335
 mark at arm-and-hammer zsh% uname -orm
 Darwin 24.0.0 arm64
 }}}

 {{{
 mark at arm-and-hammer zsh% lipo /bin/ls -thin arm64e -output /tmp/ls
 mark at arm-and-hammer zsh% otool -hv /tmp/ls
 /tmp/ls:
 Mach header
       magic  cputype cpusubtype  caps    filetype ncmds sizeofcmds
 flags
 MH_MAGIC_64    ARM64          E USR00     EXECUTE    20       1712
 NOUNDEFS DYLDLINK TWOLEVEL PIE
 mark at arm-and-hammer zsh% python3
 Python 3.12.6 (main, Sep  7 2024, 05:43:35) [Clang 16.0.0
 (clang-1600.0.26.3)] on darwin
 Type "help", "copyright", "credits" or "license" for more information.
 >>> import struct
 >>> f = open('/tmp/ls', 'r+b')
 >>> f.seek(8)
 8
 >>> hex(struct.unpack('<I', f.read(4))[0])
 '0x80000002'
 >>> f.seek(8)
 8
 >>> f.write(struct.pack('<I', 0))
 4
 >>> f.close()
 >>> ^D
 mark at arm-and-hammer zsh% otool -hv /tmp/ls
 /tmp/ls:
 Mach header
       magic  cputype cpusubtype  caps    filetype ncmds sizeofcmds
 flags
 MH_MAGIC_64    ARM64        ALL  0x00     EXECUTE    20       1712
 NOUNDEFS DYLDLINK TWOLEVEL PIE
 mark at arm-and-hammer zsh% codesign --sign=- --force --preserve-metadata
 /tmp/ls
 warning: default usage of --preserve-metadata implies "resource-rules"
 (deprecated in Mac OS X >= 10.10)!
 /tmp/ls: replacing existing signature
 mark at arm-and-hammer zsh% /tmp/ls -dl /tmp/ls /tmp/ /tmp /
 drwxr-xr-x  20 root  wheel    640 Sep  5 16:54 /
 lrwxr-xr-x@  1 root  wheel     11 Sep  5 16:54 /tmp -> private/tmp
 drwxrwxrwt  35 root  wheel   1120 Sep 25 15:45 /tmp/
 -rwxr-xr-x   1 mark  wheel  89088 Sep 25 15:45 /tmp/ls
 }}}

-- 
Ticket URL: <https://trac.macports.org/ticket/66358#comment:58>
MacPorts <https://www.macports.org/>
Ports system for macOS


More information about the macports-tickets mailing list