Uploaded image for project: 'SonarCFamily'
  1. SonarCFamily
  2. CPP-2391

build-wrapper macos: Should be able to capture signed hardened processes not having required entitlements

    Details

    • Type: Bug
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: build-wrapper
    • Labels:
      None
    • Environment:
      macOS >= 10.14

      Description

      Since MacOS Mojave there is a new privacy mechanism, binaries can be hardened and signed to have a set of defined entitlements. If a binary is signed and doesn't have the following entitlements, then build-wrapper is not able to inject libinterceptor dynamic library in order to capture children processes information.

      This issue was first noticed with prebuilt CMake available in the official website with version 3.15+.

      Workarounds

      • Disable MacOS SIP protection by running the following into Recovery OS:
        csrutil disable
        
      • Remove binary's signature:
        codesign --remove-signature path/to/binary
        

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              massimo.paladin Massimo PALADIN
            • Votes:
              2 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated: