Issue running app when SIP disabled.

I've been developing an MacOS app for a while and everything was going smoothly until one of the testers reported that the app was crashing on launch.

After investigation, we discovered that he had System Integrity Protection disabled. I could reproduce the error by disabling SIP:

Library not loaded: @rpath/myframework.framework/myframework
Referenced from: <4C129258-1BF8-3D30-9AFE-BF4206D0A767> /Applications/MyApp.app/Contents/MacOS/MyApp
Reason: , (security policy does not allow @ path expansion)
(terminated at launch; ignore backtrace)

The app launches normally if I reenable SIP. I can't find information about "security policy does not allow @ path expansion".

I'll appreciate if someone can point me in the right direction.

Answered by Security Engineer in 791135022

There are two factors that come into play here: the restrictions the OS places on your binary because of its privilege, and the protections that are applied to your binary based on its configuration.

The OS starts restricting use of @ path expansion when your process is restricted because of its privilege. That means it has restricted entitlements, a __restrict section or is setuid/setgid.

The normal way to get @ path expansion allowed again is to have "Library Validation" enabled. Now, if your app is opted into the Hardened Runtime, and SIP is on, then your app gets Library Validation by default. When you turn SIP Off, Hardened Runtime protections are no longer applied so your app loses Library Validation.

You can force library validation on explicitly by adding "-o library" to the "Other Code Signing Flags" configuration item in Xcode for your target.

My research on this is pointing at LD_RUNPATH_SEARCH_PATHS, macros like @executable_path are not expanded and the app is not finding the framework. The question is, what security policy is not allowing @ path expansions? and how is SIP related to this?

There are two factors that come into play here: the restrictions the OS places on your binary because of its privilege, and the protections that are applied to your binary based on its configuration.

The OS starts restricting use of @ path expansion when your process is restricted because of its privilege. That means it has restricted entitlements, a __restrict section or is setuid/setgid.

The normal way to get @ path expansion allowed again is to have "Library Validation" enabled. Now, if your app is opted into the Hardened Runtime, and SIP is on, then your app gets Library Validation by default. When you turn SIP Off, Hardened Runtime protections are no longer applied so your app loses Library Validation.

You can force library validation on explicitly by adding "-o library" to the "Other Code Signing Flags" configuration item in Xcode for your target.

Issue running app when SIP disabled.
 
 
Q