[MacPorts] #66358: sip-workaround no longer works on arm64 macOS 13 Ventura due to new security features

MacPorts noreply at macports.org
Sat Dec 16 14:29:41 UTC 2023 

#66358: sip-workaround no longer works on arm64 macOS 13 Ventura due to new
security features
-------------------------+-----------------------------------------
  Reporter:  reneeotten  |      Owner:  Clemens Lang <neverpanic@…>
      Type:  defect      |     Status:  reopened
  Priority:  Normal      |  Milestone:
 Component:  base        |    Version:
Resolution:              |   Keywords:  ventura
      Port:              |
-------------------------+-----------------------------------------

Comment (by neverpanic):

 Replying to [comment:53 kencu]:
 > I was hoping that instead of needing to modify the now-unavailable
 binaries, there might instead be a way to put a file system trace on
 ${prefix}, and only allowing access to files that have been allowed to be
 accessed.

 macOS does not have this functionality, at least not in the fashion we'd
 need. There is a sandboxing mechanism, but it only allows denying access
 to files, not hiding them. We've tried that before, and most build systems
 will fail when you deny access to a file that they would like to use and
 know exists.

 That's why trace mode emulates this by intercepting system calls related
 to file system access, but that requires doing this interception on all
 binaries, regardless of their file system location.


 > picture the equivalent of making a virtual /opt/local populated by
 symlinks to the contents of ports that have been allowed prior to the
 build.
 >
 > then you would have the equivalent of trace mode, leaving the binaries
 alone.
 >
 > But I don't know enough about how this is done.  chroot, etc ... and I
 haven't explored any of the trace mode code.

 Yes, that would be the equivalent of Linux mount namespaces, or chroots.
 macOS does not have the former, and while it does have the latter, they
 require root access, and are known to break Xcode and other macOS core
 functionality such as DNS lookups, which is why we're not using them.

 Unless you can convince Apple to provide a mechanism to selectively hide
 files using sandboxes, or provide a container-like mount namespace
 mechanism, library preloading is the only viable option, and that doesn't
 work on arm64 macOS at the moment, unless you're willing to disable SIP.

-- 
Ticket URL: <https://trac.macports.org/ticket/66358#comment:54>
MacPorts <https://www.macports.org/>
Ports system for macOS

More information about the macports-tickets mailing list