lldb ...
Rainer Müller
raimue at macports.org
Fri Sep 16 06:06:53 PDT 2016
On 2016-09-16 10:18, Jeremy Huddleston Sequoia wrote:
> Yeah, this contradicts what I'm seeing as expected. Given that
> you've signed /opt/local/bin/ggdb with an entitlement, it should be
> CS_RESTRICT which should imply CS_HARD. The lack of a code signature
> would trigger !CS_VALID which would prevent the process from loading
> the unsigned libraries.
There is actually no entitlement data in the code-signature itself.
The access is granted by embedding a Info.plist into the binary:
$ otool -P /opt/local/bin/ggdb
/opt/local/bin/ggdb:
(__TEXT,__info_plist) section
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>CFBundleIdentifier</key>
<string>org.gnu.gdb</string>
<key>CFBundleName</key>
<string>gdb</string>
<key>CFBundleVersion</key>
<string>1.0</string>
<key>SecTaskAccess</key>
<array>
<string>allowed</string>
<string>debug</string>
</array>
</dict>
</plist>
Probably that is why these rules are not enforced?
Rainer
More information about the macports-dev
mailing list