[MacPorts] #66358: sip-workaround no longer works on arm64 macOS 13 Ventura due to new security features
MacPorts
noreply at macports.org
Sat Dec 16 14:29:41 UTC 2023
#66358: sip-workaround no longer works on arm64 macOS 13 Ventura due to new
security features
-------------------------+-----------------------------------------
Reporter: reneeotten | Owner: Clemens Lang <neverpanic@…>
Type: defect | Status: reopened
Priority: Normal | Milestone:
Component: base | Version:
Resolution: | Keywords: ventura
Port: |
-------------------------+-----------------------------------------
Comment (by neverpanic):
Replying to [comment:53 kencu]:
> I was hoping that instead of needing to modify the now-unavailable
binaries, there might instead be a way to put a file system trace on
${prefix}, and only allowing access to files that have been allowed to be
accessed.
macOS does not have this functionality, at least not in the fashion we'd
need. There is a sandboxing mechanism, but it only allows denying access
to files, not hiding them. We've tried that before, and most build systems
will fail when you deny access to a file that they would like to use and
know exists.
That's why trace mode emulates this by intercepting system calls related
to file system access, but that requires doing this interception on all
binaries, regardless of their file system location.
> picture the equivalent of making a virtual /opt/local populated by
symlinks to the contents of ports that have been allowed prior to the
build.
>
> then you would have the equivalent of trace mode, leaving the binaries
alone.
>
> But I don't know enough about how this is done. chroot, etc ... and I
haven't explored any of the trace mode code.
Yes, that would be the equivalent of Linux mount namespaces, or chroots.
macOS does not have the former, and while it does have the latter, they
require root access, and are known to break Xcode and other macOS core
functionality such as DNS lookups, which is why we're not using them.
Unless you can convince Apple to provide a mechanism to selectively hide
files using sandboxes, or provide a container-like mount namespace
mechanism, library preloading is the only viable option, and that doesn't
work on arm64 macOS at the moment, unless you're willing to disable SIP.
--
Ticket URL: <https://trac.macports.org/ticket/66358#comment:54>
MacPorts <https://www.macports.org/>
Ports system for macOS
More information about the macports-tickets
mailing list