Sent from my iPhone...
> On Sep 10, 2016, at 16:51, Rainer Müller <[email protected]> wrote: > > On 2016-09-10 17:52, Jeremy Huddleston Sequoia wrote: >>> On OS X 10.10 Yosemite, signing only the ggdb binary was certainly >>> enough. I cannot reproduce this on macOS 10.12 Sierra, so the >>> requirements might have changed. >> >> 10.10 predates SIP and related hardening around ptrace(). That >> version is so far in my rearview that I forget the details there, >> sorry. I'll have to dig into it, but it certainly seems wrong to me >> that a process could become privileged if it linked against unsigned >> libraries. > > I would assume if we find a solution that passes the current > restrictions on Sierra that will also work for older releases with less > strict checking. > > I got gdb to work now on Sierra now. In fact I did not even have to sign > any of the libraries it links to. > > > $ otool -L /opt/local/bin/ggdb |awk 'NR>1 {print $1}' \ > |grep '^/opt/local' | xargs -I{} codesign -d -v {} > /opt/local/lib/libintl.8.dylib: code object is not signed at all > /opt/local/lib/libncurses.6.dylib: code object is not signed at all > /opt/local/lib/libz.1.dylib: code object is not signed at all > /opt/local/lib/libiconv.2.dylib: code object is not signed at all > /opt/local/lib/libexpat.1.dylib: code object is not signed at all > > $ /opt/local/bin/ggdb -q /opt/local/bin/curl > Reading symbols from /opt/local/bin/curl...(no debugging symbols > found)...done. > (gdb) r > Starting program: /opt/local/bin/curl > warning: unhandled dyld version (15) > curl: try 'curl --help' or 'curl --manual' for more information > [Inferior 1 (process 6964) exited with code 02] > (gdb) q Hmm. That isn't what I'd expect. Gonna need to check why that is. It looks like CS_RESTRICT isn't implying CS_HARD like I thought it should. > > The main problem I encountered was that the setgid for the procmod group > seems to interfere with the validation now. Once I removed that by > changing the permissions to a regular 0755, I can use the code-signed > ggdb just fine to debug other programs. > > By the way, as I did lots of trial and error, is there a way to get > debug output (from taskgated?) to see why task_for_pid() was denied? Is it not being logged? You should see it in the system log (Console.app, log collect, etc). > > Rainer
_______________________________________________ macports-dev mailing list [email protected] https://lists.macosforge.org/mailman/listinfo/macports-dev
