1193 Views 9 Replies
      Latest reply on Jul 31, 2019 8:34 AM by eskimo
      mixage Level 1 Level 1 (0 points)
      mixage Jun 14, 2019 6:45 AM

        Hello,

         

        I have built a piece of code as an external framework which can be optionally installed (in Library/Frameworks).

        This worked fine until I've enable hardened runtime in my mac os app (even with the "Disable Library Validation" option set).

        Both app and framework have the LC_VERSION_MIN set to 10.9, as suggested in this thread:

        https://forums.developer.apple.com/thread/115451

        Both app and framework are signed by me. The application is not sandboxed.

         

        Some suggestions?

         

        Thanks,

        Bruno

        • Re: Framework fails to load with hardened runtime
          eskimo Apple Staff Apple Staff (11,955 points)
          eskimo Jun 17, 2019 2:55 AM (in response to mixage)

          Do you load your framework by importing it?  Or load it dynamically with, say, dlopen?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: Framework fails to load with hardened runtime
              mixage Level 1 Level 1 (0 points)
              mixage Jun 17, 2019 3:05 AM (in response to eskimo)

              Imported: The framework is added to my Xcode project as "optional" and not copied inside my frameworks app subfolder. The framework path is the standard Library/Frameworks one. Everything loads correctly until I enable hardened runtime. I can provide a sample project if needed.

               

              Thanks

                • Re: Framework fails to load with hardened runtime
                  eskimo Apple Staff Apple Staff (11,955 points)
                  eskimo Jun 18, 2019 2:55 AM (in response to mixage)

                  It’s hard to say what’s going on here.  Library validation prevents your app from importing external frameworks like this (documented in the codesign man page page), but you’ve already disabled that.  I have two theories:

                  • Your attempt to disable library validation failed for some reason.  How did you confirm that it’s actually off? (A)

                  • There’s some other hardened runtime flag that’s preventing your framework from loading (B).

                  To test A, enable the hardened runtime, disable library validation, remove your import, and run your program.  It should launch just fine.  Then run codesign against your pid.  This will tell you whether your library validation change ‘stuck’.

                  For example, here’s what you see when using the hardened runtime with no exceptions:

                  $ codesign -d -v --entitlements :- `pgrep test`
…
CodeDirectory v=20500 size=429 flags=0x10000(runtime) hashes=4+5 location=embedded
…
<plist version="1.0">
<dict>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

                  And here’s what you see when you disable library validation:

                  $ codesign -d -v --entitlements :- `pgrep test`
…
CodeDirectory v=20500 size=429 flags=0x10000(runtime) hashes=4+5 location=embedded
…
<dict>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
    <key>com.apple.security.get-task-allow</key>
    <true/>
</dict>
</plist>

                  To investigate B, disable all of the hardened runtime checks (these are listed in the Runtime Exceptions section of Xcode’s Capabilities editor) and see if you app works.  If it does, selective re-enable them to see where it stops working.

                  Share and Enjoy

                  Quinn “The Eskimo!”
                  Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                  let myEmail = "eskimo" + "1" + "@apple.com"

              • Re: Framework fails to load with hardened runtime
                eskimo Apple Staff Apple Staff (11,955 points)
                eskimo Jul 31, 2019 8:34 AM (in response to mixage)

                mixage and I discussed their issue in depth and managed to work out what was going wrong.  Their framework’s install name (the value from the LC_ID_DYLIB load command, as displayed by -D option in otool) was using the `@rpath prefix.  The hardened runtime puts significant restrictions on the use of @rpath because it’s a vector for injecting code into apps, and thus they ran into problems when enabling it.

                As their framework was meant to be installed in /Library/Frameworks/, changing the install name to an absolute path with that prefix resolved their issue.

                Share and Enjoy

                Quinn “The Eskimo!”
                Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                let myEmail = "eskimo" + "1" + "@apple.com"