-
Notifications
You must be signed in to change notification settings - Fork 233
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
OS X El Capitan introduces System Integrity Protection for files. Executables with this flag set will be started in a sanitized environment by the kernel, stripping all DYLD_* variables. This breaks trace mode, because tracing relies on preloading to wrap file related system calls using DYLD_INSERT_LIBRARIES. A trivial workaround for the problem is to make a copy of the affected binaries, which will strip the flag, and then adjust the invocation of the binary to execute the copy instead (but leaving argv[0] as-is to avoid giving the program an indication of being run from a non-standard location). This change implements this approach by copying the SIP-flagged binaries to $prefix/var/macports/sip-workaround on demand iff - the system has the SF_RESTRICTED flag defined - a binary is started with DYLD_INSERT_LIBRARIES set - the file exists and has SF_RESTRICTED set - the file isn't SUID or SGID (which we could not reliably copy, and which have never preserved DYLD_* variables) If the file to be executed is a script and has a shebang line, the checks are run on the interpreter instead, and if necessary, the interpreter is copied. This requires interpreting the shebang line in user space. Copies are created on-demand and are lazy: The file modification times are checked before overwriting an existing copy. Copies are created in a per-user folder, which will be created on-demand in a 1777 directory (like /tmp). Changes are also needed way before darwintrace.dylib first runs: The DYLD_* variables are already stripped in src/pextlib1.0/system.c, where /usr/bin/sandbox-exec and /bin/sh are run, which both have the SF_RESTRICTED flag on 10.11 now. Consequently, the same copying approach is applied there. Because macports build run in a sandbox, the sandbox boundaries are extended to allow access to $prefix/var/macports/sip-workaround. git-svn-id: https://svn.macports.org/repository/macports/trunk/base@141420 d073be05-634f-4543-b044-5fe20cf6d1d6
- Loading branch information
1 parent
7f1c332
commit de1977a
Showing
9 changed files
with
652 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -23,6 +23,8 @@ | |
.. | ||
registry | ||
.. | ||
sip-workaround mode=01777 | ||
.. | ||
software | ||
.. | ||
.. | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.