Skip to content

Provide a workaround of macos SIP in the build system #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Aug 5, 2021
Merged

Provide a workaround of macos SIP in the build system #16

merged 1 commit into from
Aug 5, 2021

Conversation

@yungyuc
Copy link
Member

@yungyuc yungyuc commented Aug 5, 2021
edited
Loading

Mac SIP (System Integrity Protection) was introduced in El Capitan (10.11) in 2015 and it disabled DYLD_*LIBRARY_PATH for some protected binaries (the DYLD_LIBRARY_PATH and DYLD_FALLBACK_LIBRARY_PATH are purged when launching the processes).

make is among the binaries influenced by SIP. Assume that we have a Makefile:

.PHONY:
default:
	@echo "NORMALVAR=$$NORMALVAR"
	@echo "DYLD_LIBRARY_PATH=$$DYLD_LIBRARY_PATH"
	@echo "DYLD_FALLBACK_LIBRARY_PATH=$$DYLD_FALLBACK_LIBRARY_PATH"

and run it by supplying the environment variables. The dyld environment variables are not gone, surprisingly:

$ env NORMALVAR=content DYLD_LIBRARY_PATH=. DYLD_FALLBACK_LIBRARY_PATH=. make
NORMALVAR=content
DYLD_LIBRARY_PATH=
DYLD_FALLBACK_LIBRARY_PATH=

Consequently, we no longer can set the dyld variables outside make and send them to processes spawned in make. A workaround is to use an include file in Makefile. Assume we have a file name setup.mk:

RUNENV ?= DYLD_LIBRARY_PATH=. DYLD_FALLBACK_LIBRARY_PATH=.

The Makefile is modified to:

ifneq (,$(wildcard ./setup.mk))
	include ./setup.mk
endif

.PHONY:
default:
	env $(RUNENV) python3 -c "import os; print(os.environ.get('NORMALVAR'))"
	env $(RUNENV) python3 -c "import os; print(os.environ.get('DYLD_LIBRARY_PATH'))"
	env $(RUNENV) python3 -c "import os; print(os.environ.get('DYLD_FALLBACK_LIBRARY_PATH'))"

python3 is a custom installed Python binary. (If you use the system python, which is a protected binary, this trick won't work.) Running make and the value stored in the include file can be passed to the python3 sub-processes:

$ make
env DYLD_LIBRARY_PATH=. DYLD_FALLBACK_LIBRARY_PATH=. python3 -c "import os; print(os.environ.get('NORMALVAR'))"
None
env DYLD_LIBRARY_PATH=. DYLD_FALLBACK_LIBRARY_PATH=. python3 -c "import os; print(os.environ.get('DYLD_LIBRARY_PATH'))"
.
env DYLD_LIBRARY_PATH=. DYLD_FALLBACK_LIBRARY_PATH=. python3 -c "import os; print(os.environ.get('DYLD_FALLBACK_LIBRARY_PATH'))"
.

@yungyuc
Provide a workaround of SIP in the build system
6af4afb 
Macos 10.11 El Capitan enabled SIP (system integrity protection) in 2015, and
it prevents `DYLD_*LIBRARY_PATH` from being passed to sub-processes of
protected (most system) binaries, including make and bash.

This is a workaround by adding an include file in Makefile.
@yungyuc yungyuc merged commit 6385fa5 into master Aug 5, 2021
@yungyuc yungyuc deleted the feature/mac-sip branch August 5, 2021 14:18
@yungyuc yungyuc added the bug Something isn't working label Aug 6, 2021
@yungyuc yungyuc mentioned this pull request Oct 8, 2022
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

bug Something isn't working

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@yungyuc