slonopotamus
commented
9 months ago You mean, removing signatures from all binaries inside chroot? I'll try that.
Open griels opened 9 months ago
slonopotamus
commented
9 months ago You mean, removing signatures from all binaries inside chroot? I'll try that.
slonopotamus
commented
9 months ago WRT sandbox - it can be used as an additional isolation of chrooted processes from the host.
slonopotamus
commented
9 months ago I'm not reproducing what that guy shows (though I'm on Ventura). If I try to execute binaries after codesign --remove-signature (both within and outside of chroot), I just get killed, without any traces in dmesg, even with SIP disabled.
griels
commented
9 months ago Oh well, thanks for trying.. Hopefully there's a SIP-free way ahead eventually.
slonopotamus
commented
9 months ago Also, see macOScontainers/macos-jail#2. I had chroot properly working on Catalina with SIP enabled: https://github.com/macOScontainers/macos-jail/commit/4d342807b1f3c913613b7a1fb6001f9951e15c2e But newer macOS versions have stricter rules.
slonopotamus
commented
9 months ago Another idea. Do we actually need to disable the whole SIP? There are options to disable specific parts of it:
csrutil enable --no-internal
csrutil enable --without kext
csrutil enable --without fs
csrutil enable --without debug
csrutil enable --without dtrace
csrutil enable --without nvramI'm not sure yet which one of them is responsible for chroot.
https://poweruser.blog/using-dtrace-with-sip-enabled-3826a352e64b - not sure if this mechanism could be used?
Failing that, I gather there is some other sandboxing mechanism (relying on the Sandboxing frameworks, akin to using the officially-deprecated sandbox-exec) that might be usable, but obviously this work is heavily chroot based.