Allow running without disabling SIP - suggestion included

Question

Allow running without disabling SIP - suggestion included

griels opened this issue a year ago · 7 comments

https://poweruser.blog/using-dtrace-with-sip-enabled-3826a352e64b - not sure if this mechanism could be used?

Failing that, I gather there is some other sandboxing mechanism (relying on the Sandboxing frameworks, akin to using the officially-deprecated sandbox-exec) that might be usable, but obviously this work is heavily chroot based.

Answer 1 · 2023-09-20T08:51:34.000Z

You mean, removing signatures from all binaries inside chroot? I'll try that.

Answer 2 · 2023-09-20T09:25:13.000Z

WRT sandbox - it can be used as an additional isolation of chrooted processes from the host.

Answer 3 · 2023-09-20T19:01:10.000Z

I'm not reproducing what that guy shows (though I'm on Ventura). If I try to execute binaries after codesign --remove-signature (both within and outside of chroot), I just get killed, without any traces in dmesg, even with SIP disabled.

Answer 4 · 2023-09-20T19:50:40.000Z

Oh well, thanks for trying.. Hopefully there's a SIP-free way ahead eventually.

Answer 5 · 2023-09-24T09:55:56.000Z

Also, see darwin-containers/darwin-jail#2. I had chroot properly working on Catalina with SIP enabled: darwin-containers/darwin-jail@4d34280 But newer macOS versions have stricter rules.

Answer 6 · 2023-09-29T16:06:17.000Z

Another idea. Do we actually need to disable the whole SIP? There are options to disable specific parts of it:

csrutil enable --no-internal
csrutil enable --without kext
csrutil enable --without fs
csrutil enable --without debug
csrutil enable --without dtrace
csrutil enable --without nvram

I'm not sure yet which one of them is responsible for chroot.

Answer 7 · 2024-07-10T15:31:44.000Z

I'm not reproducing what that guy shows (though I'm on Ventura). If I try to execute binaries after codesign --remove-signature (both within and outside of chroot), I just get killed, without any traces in dmesg, even with SIP disabled.

I think the instant killing in the chroot from this comment might be due to Launch Constraints. I'm not sure exactly how one would remove those, but it would likely involve removing the codesigning from the binary, and possibly changing the file's contents/checksum, in case the binary has it's signature stored detached in the read only volume. Basically the goal is breaking the lookup of the constraints.