Re: [MacPorts] #66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new security features
MacPorts
noreply at macports.org
Sat Sep 28 19:01:36 UTC 2024
#66358: sip-workaround / trace mode no longer works on arm64 macOS ≥ 13 due to new
security features
-------------------------+-----------------------------------------
Reporter: reneeotten | Owner: Clemens Lang <neverpanic@…>
Type: defect | Status: reopened
Priority: Normal | Milestone:
Component: base | Version:
Resolution: | Keywords: arm64 ventura sonoma
Port: |
-------------------------+-----------------------------------------
Comment (by neverpanic):
Replying to [comment:58 markmentovai]:
> In many cases, it ought to be possible to reset the
`mach_header_64::cpusubtype` from `CPU_SUBTYPE_ARM64E` to
`CPU_SUBTYPE_ARM64_ALL` (0), and then re-sign. PAC instructions
essentially become no-op under arm64 (as opposed to arm64e).
That's actually a great idea. We already have code that copies and re-
signs binaries, seeking to an offset of 8 and writing 4 0-bytes should not
be all that complicated. I didn't know that the binaries would just run
with the changed header, I had expected them to start failing.
> This may be feasible if you’re not trying to run anything with a
restricted entitlement.
Our mechanism did already break binaries with entitlements, and it hasn't
been a problem in practice, so I think we can ignore this.
https://github.com/macports/macports-
base/blob/master/src/pextlib1.0/sip_copy_proc.c#L485-L488 is the place
where we currently re-sign binaries, if we add something right before that
that adjusts the mach-o header if required, trace mode might actually
start working again. Note that this does not go the easy way of using a
thin binary, so the function would have to understand universal binaries.
--
Ticket URL: <https://trac.macports.org/ticket/66358#comment:60>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list