dyld not load library with rpath if SIP disabled

Question

benson3816 OP

Created Jun ’24

Replies 1

Boosts 0

Participants 2

I'm working on a macOS app. Due to security requirement, I add the following line in XCode other linker flags:

-Wl,-sectcreate,__RESTRICT,__restrict,/dev/null

But after testing, we found that app crashed at launch if system integrity protection disabled. Here is the report:

System Integrity Protection: disabled

Crashed Thread:        0

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000

Termination Reason:    Namespace DYLD, Code 1 Library missing
Library not loaded: @rpath/MyLib.framework/Versions/A/MyLib
Referenced from: <845E83E4-9526-36F0-8A2D-ADD407697F4D> /Applications/MyApp/MyApp.app/Contents/MacOS/MyApp
Reason: tried: '/System/Library/Frameworks/MyLib.framework/Versions/A/MyLib' (no such file, not in dyld cache), (security policy does not allow @ path expansion)
(terminated at launch; ignore backtrace)


Thread 0 Crashed:
0   dyld                          	       0x185f3a55c __abort_with_payload + 8
1   dyld                          	       0x185f46b10 abort_with_payload_wrapper_internal + 104
2   dyld                          	       0x185f46b44 abort_with_payload + 16
3   dyld                          	       0x185ecd584 dyld4::halt(char const*, dyld4::StructuredError const*) + 304
4   dyld                          	       0x185eca254 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3884
5   dyld                          	       0x185ec8edc start + 1844

Looks like dyld can't load rpath if restrict segment exist & SIP disabled. Is there a way to fix it? The framework & dylib files needs to be in the bundle to avoid other app using them, so point to /usr/lib is not an option.

Thanks.

Answered by DTS Engineer in 791529022

To start, the __RESTRICT / __restrict section is not documented for third-party use, thus you should treat it as an implementation detail. By relying on it you open yourself up to all sort of potential compatibility problems.

My impression is that folks use this to prevent library injection attacks. Is that your goal here?

If so, you can do the equivalent by enabling the hardened runtime on your main executable. That opts you to library validation, which ensures that your program can only load signed by you or Apple.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’24

Accepted Answer

Recommended

To start, the __RESTRICT / __restrict section is not documented for third-party use, thus you should treat it as an implementation detail. By relying on it you open yourself up to all sort of potential compatibility problems.

My impression is that folks use this to prevent library injection attacks. Is that your goal here?

If so, you can do the equivalent by enabling the hardened runtime on your main executable. That opts you to library validation, which ensures that your program can only load signed by you or Apple.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1