Processes getting wedged in "U" (uninterruptible wait) state after Security Update 2020-003

Ryan Schmidt ryandesign at macports.org
Fri May 29 13:56:55 UTC 2020 

On May 29, 2020, at 07:44, Greg Earle wrote:

> On 29 May 2020, at 4:47, Franco Vaccari wrote:
> 
>> I would try other options before reinstalling the system, who knows, reinstalling the developer tools, restarting with shift to clean caches, reinstalling the security update, but ok, maybe reinstalling everything from backup may be the easiest…
>> 
>> Let us know how it went…
> 
> Just to summarize the (apparent) solution for the list:
> 
> It looks like Security Update 2020-003 changed the "taskgated" plist file
> 
> /System/Library/LaunchDaemons/com.apple.taskgated.plist
> 
> It added a single line with a new "-sp" switch:
> 
> --
> whdmac:~ root# diff -rC 3 /System/Library/LaunchDaemons/*com.apple.taskgated.plist*
> *** /System/Library/LaunchDaemons/DO_NOT_USE_com.apple.taskgated.plist_BAD	2020-04-16 21:28:38.000000000 -0700
> --- /System/Library/LaunchDaemons/com.apple.taskgated.plist	2019-04-14 18:58:56.000000000 -0700
> ***************
> *** 19,25 ****
>  	<key>ProgramArguments</key>
>  	<array>
>  		<string>/usr/libexec/taskgated</string>
> - 		<string>-sp</string>
>  	</array>
>  </dict>
>  </plist>
> --- 19,24 ----
> --
> 
> The trouble is, "taskgated" does not seem to support "-sp":
> 
> --
> whdmac:/ root# /usr/libexec/taskgated -sp
> taskgated: invalid option -- s
> Usage: taskgated [-ps] [-t seconds] [-i pid]
> --
> 
> So, I don't understand why Apple added this switch.
> 
> I also don't understand why everyone who installed this Security Update has not also been affected by this?!?
> 
> Anyway, I removed the "-sp" line, rebooted, and now everything works again - "taskgated" is running and isn't exiting anymore, my Postgres server is running happily, and my MacPorts binaries are running without wedging.
> 
> Apologies for the slightly off-topic thread

Possibly off-topic, but if an Apple update causes problems for MacPorts users we do want to know about it in case it's something we need to address in MacPorts.



If taskgated behaves like other normal command line programs, then the flag `-sp` should be equivalent to the flags `-s` and `-p`. (Apple command line programs often aren't like other programs, erroneously using a single dash where they mean to use a double dash, but I don't think taskgated is one of those programs.)



I checked my High Sierra system. According to `man taskgated` it does support the `-s` flag but not the `-p` flag:

> SYNOPSIS
>      taskgated [-s] [-t timeout] [-i pid]

The description of the `-s` flag is:

>      -s       Allow signed applications marked as "safe" to have free access to task ports, without having to pass an authorization check. Note that such callers must be marked both allowed and safe.


There is a note at the bottom that says:

>      Procmod and procview support (-p) was removed in 10.11.


On High Sierra, the com.apple.taskgated.plist file specifies the `-s` flag.



Checking on Mojave and Catalina systems, the taskgated manpage still shows that the `-s` flag is supported but the description of that flag has disappeared. The launchd plist does not specify any flags anymore.

If I try, similar to what you did, to run `/usr/libexec/taskgated -s` I get the same result as you: the message that "s" is an invalid option, despite what the manpage says, and despite the following usage message showing both the "s" and "p" options as supported. I guess Apple forgot to update the manpage and the usage message.



So I'm not sure how the `-sp` flags got into your launchd plist again when they're not supported anymore. Maybe Apple made a mistake in the security update. If so, I'd expect them to reissue it. If they do, the macOS build number should change. I'm running Mojave 10.14.6 build 18G5033. How about you? If you're running less than that, run Software Update again, or try downloading the security update from Apple's web site.

Alternately, is it possible that you edited the plist file yourself to add the -sp flags? MacPorts used to have instructions in the notes of the gdb port telling users to add the -p flag to the existing -s flag since this was required for gdb to work in OS X 10.10. We removed those instructions some years ago since they were no longer helpful in OS X 10.11 and later but maybe you found and followed similar instructions elsewhere on the Internet, or you ran some installer or script that edited it for you. On my Mojave system, the plist hasn't been modified since 2018-08-21, but you showed that on your system it was modified on 2020-04-16. Of course, editing that file manually would require disabling System Integrity Protection. Have you disabled SIP? If so, consider reenabling it to protect your system from unwanted modifications.

More information about the macports-users mailing list