Framework fails to load with hardened runtime |Apple Developer Forums

1616 Views 10 Replies

Latest reply on Oct 23, 2019 6:21 PM by Vannes

Level 1 (0 points)

mixage Jun 14, 2019 6:45 AM

Hello,

I have built a piece of code as an external framework which can be optionally installed (in Library/Frameworks).

This worked fine until I've enable hardened runtime in my mac os app (even with the "Disable Library Validation" option set).

Both app and framework have the LC_VERSION_MIN set to 10.9, as suggested in this thread:

https://forums.developer.apple.com/thread/115451

Both app and framework are signed by me. The application is not sandboxed.

Some suggestions?

Thanks,

Bruno

Re: Framework fails to load with hardened runtime

Apple Staff (12,435 points)
eskimo Jun 17, 2019 2:55 AM (in response to mixage)

Do you load your framework by importing it? Or load it dynamically with, say, dlopen?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
This helped me (0)

Actions
- Re: Framework fails to load with hardened runtime
  
  Level 1 (0 points)
  mixage Jun 17, 2019 3:05 AM (in response to eskimo)
  
  Imported: The framework is added to my Xcode project as "optional" and not copied inside my frameworks app subfolder. The framework path is the standard Library/Frameworks one. Everything loads correctly until I enable hardened runtime. I can provide a sample project if needed.
  
  Thanks
  
  This helped me (0)
  
  Actions
  - Re: Framework fails to load with hardened runtime
    
    Apple Staff (12,435 points)
    eskimo Jun 18, 2019 2:55 AM (in response to mixage)
    
    It’s hard to say what’s going on here. Library validation prevents your app from importing external frameworks like this (documented in the codesign man page page), but you’ve already disabled that. I have two theories:
    Your attempt to disable library validation failed for some reason. How did you confirm that it’s actually off? (A)
    There’s some other hardened runtime flag that’s preventing your framework from loading (B).
    To test A, enable the hardened runtime, disable library validation, remove your import, and run your program. It should launch just fine. Then run codesign against your pid. This will tell you whether your library validation change ‘stuck’.
    For example, here’s what you see when using the hardened runtime with no exceptions:
    $ codesign -d -v --entitlements :- `pgrep test` … CodeDirectory v=20500 size=429 flags=0x10000(runtime) hashes=4+5 location=embedded … <plist version="1.0"> <dict> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist>
    And here’s what you see when you disable library validation:
    $ codesign -d -v --entitlements :- `pgrep test` … CodeDirectory v=20500 size=429 flags=0x10000(runtime) hashes=4+5 location=embedded … <dict> <key>com.apple.security.cs.disable-library-validation</key> <true/> <key>com.apple.security.get-task-allow</key> <true/> </dict> </plist>
    To investigate B, disable all of the hardened runtime checks (these are listed in the Runtime Exceptions section of Xcode’s Capabilities editor) and see if you app works. If it does, selective re-enable them to see where it stops working.
    Share and Enjoy
    —
    Quinn “The Eskimo!”
    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
    let myEmail = "eskimo" + "1" + "@apple.com"
    
    This helped me (0)
    
    Actions
    - Re: Framework fails to load with hardened runtime
      
      Level 1 (0 points)
      mixage Jun 22, 2019 7:00 AM (in response to eskimo)
      
      Thanks. I will try this ASAP (I wasn't here last days)
      
      This helped me (0)
      
      Actions
    - Re: Framework fails to load with hardened runtime
      
      Level 1 (0 points)
      mixage Jun 26, 2019 3:32 AM (in response to eskimo)
      
      The framework is not loaded if hardened runtime is enabled. I have checked the various cases (A and B and others) but there's no way to make it work except by switching of the HR button in XCode. What am I missing?
      
      This helped me (0)
      
      Actions
      - Re: Framework fails to load with hardened runtime
        
        Apple Staff (12,435 points)
        eskimo Jun 27, 2019 12:46 AM (in response to mixage)
        
        What am I missing?
        I’m not sure. My recommendation is that you open a DTS tech support incident so that we can help you investigate this in more detail.
        Share and Enjoy
        —
        Quinn “The Eskimo!”
        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
        let myEmail = "eskimo" + "1" + "@apple.com"
        
        This helped me (0)
        
        Actions
        
        Re: Framework fails to load with hardened runtime
        
        Level 1 (0 points)
        mixage Jul 26, 2019 3:31 AM (in response to eskimo)
        
        Hello Quinn,
        
        I understand that you are not involved on such question, but I'm at total loss...
        I have opened a DTS tech support incident as you suggestes on July 5 and still waiting for a reply... Is it normal ? How can I solicit a reply? By opening another support incident?
        
        Thank you very much
        Bruno
        
        This helped me (0)
        
        Actions
        
        Re: Framework fails to load with hardened runtime
        
        Apple Staff (12,435 points)
        eskimo Jul 29, 2019 2:02 AM (in response to mixage)
        
        Is it normal ?
        No. DTS should send you an initial response within three business days.
        I can’t discuss official DTS business here, but if you drop me a line via email (my address is in my signature below), we can take things from there.
        Make sure to reference this thread because, as you might imagine, I get a lot of email.
        Share and Enjoy
        —
        Quinn “The Eskimo!”
        Apple Developer Relations, Developer Technical Support, Core OS/Hardware
        let myEmail = "eskimo" + "1" + "@apple.com"
        
        This helped me (0)
        
        Actions
Re: Framework fails to load with hardened runtime

Apple Staff (12,435 points)
eskimo Jul 31, 2019 8:34 AM (in response to mixage)

mixage and I discussed their issue in depth and managed to work out what was going wrong. Their framework’s install name (the value from the LC_ID_DYLIB load command, as displayed by -D option in otool) was using the `@rpath prefix. The hardened runtime puts significant restrictions on the use of @rpath because it’s a vector for injecting code into apps, and thus they ran into problems when enabling it.
As their framework was meant to be installed in /Library/Frameworks/, changing the install name to an absolute path with that prefix resolved their issue.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
This helped me (1)

Actions
- Re: Framework fails to load with hardened runtime
  
  Level 1 (0 points)
  Vannes Oct 23, 2019 6:21 PM (in response to eskimo)
  
  I got sililar issue and I've tried couple ways don't work at all.
  Would you please take a look into this?(Posted here and n StackOverflow)
  Thank you so much!!
  
  https://forums.developer.apple.com/message/390019#390019
  
  https://stackoverflow.com/questions/58515410/library-not-loaded-after-runtime-hardened-enabled
  
  This helped me (0)
  
  Actions