DYLD_INSERT_LIBRARIES doesn't work for app signed with entitlements on Mountain Lion

About

Asked 21/9, 2012 at 0:37 Answered 27/2, 2013 at 8:1

I notice that DYLD_INSERT_LIBRARIES no longer works in Mountion Lion if the application is codesigned with entitlements. For example:

DYLD_INSERT_LIBRARIES=./mylib.dylib /Applications/Safari.app/Contents/MacOS/Safari
  dyld: DYLD_ environment variables being ignored because main executeable is code signed with entitlements.

I know this is probably a new security feature added to Mountion Lion. Anyone knows if there is an alternative way to do similar thing on Mountain Lion? Thanks!

Fatimahfatimid answered 21/9, 2012 at 0:37 Comment(1)

Does SIMBL work in Mountain Lion at all? If so you could try that instead. – Crossfertilization 21/9, 2012 at 0:48

There is no way to make DYLD_INSERT_LIBRARIES work on applications of this nature.

dyld strips all DYLD_ environment variables on applications it considers to be restricted, which includes setuid/setgid binaries and those signed with particular entitlements. You can see how this work by looking at the dyld source. In particular, processRestricted is responsible for determining whether the restrictions should be applied and pruneEnvironmentVariables does the special handling of the environment variables.

Zwickau answered 27/2, 2013 at 8:1 Comment(3)

Seems it is either not true on 10.14+ or depends on the entitlements. My sandboxed app with several entitlements signed and approved by Apple for AppStore distribution is still vulnerable via DYLD_INSERT_LIBRARIES usage. What exact entitlement needed to be treated as restricted? – Rrhoea 15/1, 2019 at 10:53

It depends on the entitlements. I'm not sure of the exact details as the code that makes that determination lives in XNU kernel code that doesn't appear to be open source. If you're looking to get the same restrictions for your application, you could instead add a __RESTRICT,__restrict section to your executable as that also marks the process as restricted. You can do this by adding -Wl,-sectcreate,__RESTRICT,__restrict,/dev/null to the linker flags of your main executable. – Zwickau 16/1, 2019 at 2:33

Yepp, that's the trick what i found working too, just was curious if there's a proper info about the exact entitlement needed. Func configureProcessRestrictions in dyld.cpp shows the reasons that make a process restricted nicely, but as you mentioned the source of the csops func is not public so there is no info about what entitlement causing the CS_RESTRICT flag to be set. – Rrhoea 17/1, 2019 at 9:20

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags