Allow running without disabling SIP - suggestion included

[griels]

https://poweruser.blog/using-dtrace-with-sip-enabled-3826a352e64b - not sure if this mechanism could be used?

Failing that, I gather there is some other sandboxing mechanism (relying on the Sandboxing frameworks, akin to using the officially-deprecated sandbox-exec) that might be usable, but obviously this work is heavily chroot based.

[slonopotamus]

You mean, removing signatures from all binaries inside chroot? I'll try that.

[slonopotamus]

WRT sandbox - it can be used as an additional isolation of chrooted processes from the host.

[slonopotamus]

I'm not reproducing what that guy shows (though I'm on Ventura). If I try to execute binaries after codesign --remove-signature (both within and outside of chroot), I just get killed, without any traces in dmesg, even with SIP disabled.

[griels]

Oh well, thanks for trying.. Hopefully there's a SIP-free way ahead eventually.

[slonopotamus]

Also, see darwin-containers/darwin-jail#2. I had chroot properly working on Catalina with SIP enabled: darwin-containers/darwin-jail@4d34280 But newer macOS versions have stricter rules.

[slonopotamus]

Another idea. Do we actually need to disable the whole SIP? There are options to disable specific parts of it:

csrutil enable --no-internal
csrutil enable --without kext
csrutil enable --without fs
csrutil enable --without debug
csrutil enable --without dtrace
csrutil enable --without nvram

I'm not sure yet which one of them is responsible for chroot.

[CamJN]

I'm not reproducing what that guy shows (though I'm on Ventura). If I try to execute binaries after codesign --remove-signature (both within and outside of chroot), I just get killed, without any traces in dmesg, even with SIP disabled.

I think the instant killing in the chroot from this comment might be due to Launch Constraints. I'm not sure exactly how one would remove those, but it would likely involve removing the codesigning from the binary, and possibly changing the file's contents/checksum, in case the binary has it's signature stored detached in the read only volume. Basically the goal is breaking the lookup of the constraints.

[griels]

Some interesting developments:

1. orbstack has implemented the mac command. It's not clear what sandboxing, if any, they are using for the MacOS-side implementation of this - I've only found source code for the modified Linux kernel so far. But looks v interesting.

2. mirrord manages to run MacOS commands and redirect system access into a Kubernetes pod while not disabling SIP, via some fiendish app-signing trickery (not dissimilar to the above, but more sophisticated): https://metalbear.co/blog/fun-with-macoss-sip/. The implementation is open source so could be borrowed for darwincontainers... Or perhaps darwincontainers could integrate mirrord?

I hope some of this is useful!

[slonopotamus]

Just in case, we do not need to fully disable SIP
csrutil enable --without fs is enough.