Opened 4 months ago

Last modified 2 days ago

#66358 new defect

sip-workaround no longer works on macOS 13 Ventura due to new security features

Reported by: reneeotten (Renee Otten) Owned by:
Priority: Normal Milestone:
Component: base Version:
Keywords: ventura Cc: linuxgemini (İlteriş Eroğlu), neverpanic (Clemens Lang), fracai, kurthindenburg (Kurt Hindenburg)
Port:

Description (last modified by reneeotten (Renee Otten))

Trace-mode breaks the extract phase under Ventura (never seen this on my previous OS, Catalina). As an example I've attached the main.log when running the command sudo port -dvt extract py310-setuptools. Anyone else seeing this issue or is it something specific to my installation?

[as an aside: is there an indication when there will be a buildbot for Ventura available?]

Attachments (2)

main.log (13.1 KB) - added by reneeotten (Renee Otten) 4 months ago.
macports-codesign.sh (2.0 KB) - added by kencu (Ken) 5 days ago.
my slightly edited copy of lldb's codesign-certificate-generatings-script to generate a macports signing certificate

Download all attachments as: .zip

Change History (28)

Changed 4 months ago by reneeotten (Renee Otten)

Attachment: main.log added

comment:1 Changed 4 months ago by reneeotten (Renee Otten)

Description: modified (diff)

comment:2 in reply to:  description Changed 4 months ago by ryandesign (Ryan Schmidt)

Replying to reneeotten:

[as an aside: is there an indication when there will be a buildbot for Ventura available?]

I have no information for you about that.

comment:3 Changed 3 months ago by kencu (Ken)

if anyone knows a workaround for this, I'd like to hear it.

As much as possible, I try to use trace mode to verify builds, but this makes it difficult.

Extracting normally and then building in trace mode fails.

comment:4 Changed 2 months ago by ryandesign (Ryan Schmidt)

Has duplicates #66421, #66638, #66698.

comment:5 Changed 2 months ago by ryandesign (Ryan Schmidt)

In #66421 it was suggested to run xcodebuild -runFirstLaunch and that appeared to solve it. Please confirm if that works for you too.

comment:6 in reply to:  5 Changed 2 months ago by jmroot (Joshua Root)

Replying to ryandesign:

In #66421 it was suggested to run xcodebuild -runFirstLaunch and that appeared to solve it.

AIUI, that fixed another error that that user was getting after they stopped using -t.

comment:7 in reply to:  5 Changed 2 months ago by linuxgemini (İlteriş Eroğlu)

Replying to ryandesign:

In #66421 it was suggested to run xcodebuild -runFirstLaunch and that appeared to solve it. Please confirm if that works for you too.

This did not fix the issue for me, even after a full uninstall and reinstall of MacPorts didn't help.

comment:8 Changed 2 months ago by reneeotten (Renee Otten)

no, that indeed doesn't help

comment:9 Changed 7 weeks ago by linuxgemini (İlteriş Eroğlu)

After looking at system console logs, I have noticed that SIP is kicking in to block sandbox-exec:

default	11:02:43.231827+0300	kernel	AMFI: Launch Constraint Violation (enforcing), error info: c[1]p[1]m[1]e[3], (Constraint not matched) launching proc[vc: 1 pid: 38987]: /opt/local/var/macports/sip-workaround/503/usr/bin/sandbox-exec, launch type 0, failure proc [vc: 1 pid: 38987]: /opt/local/var/macports/sip-workaround/503/usr/bin/sandbox-exec
default	11:02:43.231920+0300	kernel	ASP: Security policy would not allow process: 38987, /opt/local/var/macports/sip-workaround/503/usr/bin/sandbox-exec
default	11:02:43.238965+0300	tccd	AUTHREQ_ATTRIBUTION: msgID=180.536, attribution={responsible={TCCDProcess: identifier=com.googlecode.iterm2, pid=38987, auid=502, euid=503, responsible_path=/Applications/iTerm.app/Contents/MacOS/iTerm2, binary_path=/opt/local/var/macports/sip-workaround/503/usr/bin/sandbox-exec}, accessing={TCCDProcess: identifier=com.apple.sandbox-exec, pid=38987, auid=502, euid=503, binary_path=/opt/local/var/macports/sip-workaround/503/usr/bin/sandbox-exec}, requesting={TCCDProcess: identifier=com.apple.syspolicyd, pid=180, auid=0, euid=0, binary_path=/usr/libexec/syspolicyd}, },
default	11:02:43.261656+0300	kernel	sandbox-exec[38987] Corpse allowed 1 of 5
default	11:02:46.863394+0300	ReportCrash	Formulating fatal 309 report for corpse[38987] sandbox-exec
default	11:02:46.869412+0300	osanalyticshelper	creating type 309 as /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/.sandbox-exec-2023-02-03-110246.ips
default	11:02:47.033565+0300	osanalyticshelper	Saved type '309(<private>)' report (10 of max 25) at /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/sandbox-exec-2023-02-03-110246.ips
default	11:02:47.033731+0300	osanalyticshelper	xpc log creation type 309 result success: /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/sandbox-exec-2023-02-03-110246.ips
default	11:02:47.033818+0300	ReportCrash	client log create type 309 result success: /Users/ilteris.eroglu/Library/Logs/DiagnosticReports/sandbox-exec-2023-02-03-110246.ips
default	11:02:47.033899+0300	ReportCrash	no MetricKit for process sandbox-exec type 309 bundleId (null)
default	11:02:47.034039+0300	ReportCrash	Sending event: com.apple.stability.crash {"coalitionName":"com.googlecode.iterm2","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"CDC1A1CF-829A-48C5-9BD2-6C8D471F2D6A","logwritten":1,"process":"sandbox-exec","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"CODESIGNING"}
default	11:02:47.034143+0300	analyticsd	Received event: com.apple.stability.crash {"coalitionName":"com.googlecode.iterm2","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"CDC1A1CF-829A-48C5-9BD2-6C8D471F2D6A","logwritten":1,"process":"sandbox-exec","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"CODESIGNING"}
default	11:02:47.034575+0300	analyticsd	Aggregated. Transform: StabilityCrashNumerator3WithBundleVersion Dirty: 1 Event: com.apple.stability.crash {"coalitionName":"com.googlecode.iterm2","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"CDC1A1CF-829A-48C5-9BD2-6C8D471F2D6A","logwritten":1,"process":"sandbox-exec","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"CODESIGNING","timestamp":1675411367033982}
default	11:02:47.035773+0300	analyticsd	Aggregated. Transform: StabilityCrashNumerator3WithIncidentID Dirty: 1 Event: com.apple.stability.crash {"coalitionName":"com.googlecode.iterm2","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"CDC1A1CF-829A-48C5-9BD2-6C8D471F2D6A","logwritten":1,"process":"sandbox-exec","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"CODESIGNING","timestamp":1675411367033982}
default	11:02:47.035988+0300	analyticsd	Aggregated. Transform: StabilityCrashNumerator3 Dirty: 1 Event: com.apple.stability.crash {"coalitionName":"com.googlecode.iterm2","exceptionCodes":"0x0000000000000000, 0x0000000000000000(\n    0,\n    0\n)EXC_CRASHSIGKILL (Code Signature Invalid)","incidentID":"CDC1A1CF-829A-48C5-9BD2-6C8D471F2D6A","logwritten":1,"process":"sandbox-exec","terminationReasonExceptionCode":"0x4","terminationReasonNamespace":"CODESIGNING","timestamp":1675411367033982}

Looks like there is an entitlement issue, not quite sure.

comment:10 Changed 7 weeks ago by linuxgemini (İlteriş Eroğlu)

Cc: linuxgemini added

comment:11 Changed 7 weeks ago by linuxgemini (İlteriş Eroğlu)

I have been informed by a friend that this is caused by a new feature at AppleMobileFileIntegrity called Launch Constraints(1) which basically blocks Apple system binaries under the sip-workaround folder(2).

(1): https://arstechnica.com/gadgets/2022/10/macos-13-ventura-the-ars-technica-review/17/#launch-constraints

(2): https://theevilbit.github.io/posts/amfi_launch_constraints/

comment:12 Changed 6 weeks ago by kencu (Ken)

perhaps then the process of copying the system binaries and running the copies to avoid SIP might need to be revisited:

[de1977a709f86b2e663ffc1f43ae70b075fc4e9a/macports-base]

Last edited 2 weeks ago by ryandesign (Ryan Schmidt) (previous) (diff)

comment:13 Changed 6 weeks ago by kencu (Ken)

Cc: neverpanic added
Summary: extract phase fails in trace-mode on macOS 13sip-workaround no longer works on macOS 13 Ventura due to new security features

might as well bump this up as it looks like it is going to need some thinking from the team

comment:14 Changed 5 weeks ago by neverpanic (Clemens Lang)

Chances are this happens because the binary has a signature from Apple. I'm guessing we will end up having to strip the Apple signature when copying the binary, and then run the unsigned copy. This, of course, comes with the risk of breaking some binaries that would otherwise have required entitlements, so we probably have to skip the copy for binaries with entitlements and just run the original binary at the expense of not having trace mode work on those binaries.

Could anybody test this for me on a Ventura system by copying a binary from /usr/bin to a different place, re-signing it using codesign -f -i -, and then running it?

Trace mode also does not work on aarch64 Monterey either, although I don't know why. It doesn't cause failures, but also does not work as expected.

comment:15 Changed 5 weeks ago by kencu (Ken)

well you can't run the binary if you move it, that is for sure:

cp /usr/bin/make ./make

 % /usr/bin/make --version
GNU Make 3.81
Copyright (C) 2006  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

This program built for i386-apple-darwin11.3.0

% ./make --version
zsh: killed     ./make --version

but I can't (so far) figure out how to codesign it:

 1008  codesign -f -i - make
 1009  codesign -f -i make
 1010  codesign -f -i make
 1011  man codesign
 1012  codesign -f make
 1013  codesign -d make

nothing works (yet).

comment:16 Changed 5 weeks ago by kencu (Ken)

% codesign -f -i - ./make
Usage: codesign -s identity [-fv*] [-o flags] [-r reqs] [-i ident] path ... # sign
       codesign -v [-v*] [-R=<req string>|-R <req file path>] path|[+]pid ... # verify
       codesign -d [options] path ... # display contents
       codesign -h pid ... # display hosting paths

comment:17 Changed 5 weeks ago by neverpanic (Clemens Lang)

Sorry, should have checked the manpage. It's codesign -s - -f $path.

comment:18 Changed 5 weeks ago by kencu (Ken)

thanks.

no happiness yet:

% codesign -s - -f ./make
./make: replacing existing signature

% ./make
zsh: killed     ./make
codesign -s - -f /Users/cunningh/kentest/make
/Users/cunningh/kentest/make: replacing existing signature

% ./make --version       
zsh: killed     ./make --version

% /Users/cunningh/kentest/make --version
zsh: killed     /Users/cunningh/kentest/make --version

comment:19 Changed 5 weeks ago by neverpanic (Clemens Lang)

Ugh, so Apple thought of some other mechanism to identify what binaries were produced by them and shouldn't be run from copies.

Until somebody figures out how they did it, we're stuck. Maybe it's a new stat flag, an entitlement, something in the resource fork, or some other metadata? It could be a database of hashes, although the signature modification should have bypassed that already.

comment:20 Changed 3 weeks ago by linuxgemini (İlteriş Eroğlu)

If I preserve the entitlements already present and sign with my Apple Development certificate, it works:

~ ❯ /usr/bin/make --version
GNU Make 3.81
Copyright (C) 2006  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

This program built for i386-apple-darwin11.3.0

~ ❯ ./make --version
[1]    39270 killed     ./make --version

~ ❯ codesign --preserve-metadata=entitlements --force --verbose --sign "Apple Development" ./make
./make: replacing existing signature
./make: signed Mach-O universal (x86_64 arm64e) [com.apple.dt.xcode_select.tool-shim]

~ ❯ ./make --version
GNU Make 3.81
Copyright (C) 2006  Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.

This program built for i386-apple-darwin11.3.0

comment:21 Changed 7 days ago by kurthindenburg (Kurt Hindenburg)

comment:22 Changed 6 days ago by neverpanic (Clemens Lang)

Hm, can somebody check on Ventura or later whether a copy of a binary from /usr/bin has this xattr, and if it does, whether it can be removed, and if it can be removed, whether removing it allows the copied binary to run on Ventura? I'd be surprised if that worked, honestly, but it's worth checking.

comment:23 Changed 6 days ago by fracai

Cc: fracai added

comment:24 Changed 5 days ago by kencu (Ken)

if it is there, it is hidden in some way:

cp /usr/bin/make ./
xattr -l ./make
<nothing>


% xattr -px com.apple.provenance  ./make
xattr: ./make: No such xattr: com.apple.provenance

Last edited 5 days ago by kencu (Ken) (previous) (diff)

comment:25 Changed 5 days ago by kencu (Ken)

so I tried making a new codesigning certificate using this as a template:

https://github.com/llvm/llvm-project/blob/main/lldb/scripts/macos-setup-codesign.sh

and renamed it slightly to macports_codesign instead of lldb_codesign. The certificate is generated and is there:

% ./macports-codesign.sh                                                                       
Certificate has already been generated and installed

but no bueno:

% rm make
% cp /usr/bin/make ./
% codesign --preserve-metadata=entitlements --force --verbose --sign "macports_codesign" ./make
./make: replacing existing signature
./make: signed Mach-O universal (x86_64 arm64e) [com.apple.dt.xcode_select.tool-shim]
% ./make --version
zsh: killed     ./make --version

Changed 5 days ago by kencu (Ken)

Attachment: macports-codesign.sh added

my slightly edited copy of lldb's codesign-certificate-generatings-script to generate a macports signing certificate

comment:26 Changed 2 days ago by kurthindenburg (Kurt Hindenburg)

Cc: kurthindenburg added
Note: See TracTickets for help on using tickets.