Jutting Bytes

Digressions of a research engineer

On Preload and SIP on MacOS X.11

| Comments

I’ve always been particularily fond of the PRELOAD trick that enables one to override symbols when launching an executable.

On linux, invoke your binary as such:

1
$ LD_PRELOAD=somelib.so executable

On MacOSX, invoke your binary as such:

1
$ DYLD_FORCE_FLAT_NAMESPACE=1 DYLD_INSERT_LIBRARIES=somelib.dylib executable

A classical use case is turning a non stereographic OpenGL implementation of a program into a quad-buffer stereographic one by redefining the calls to some gl functions.

This is also used by the wonderful bear tool, that catches commands corresponding to Makefile rules in order to create a compilation database, that is useful e.g. for intellisense.

However, Apple, with OSX El Capitan (10.11), has introduced System Integrity Protection (SIP), that prevents this trick from working, silently. In the meantime, it is no more possible to use tools such as dtrace or dtruss.

Although not recommended by Apple, one can entirely disable SIP on a machine, by booting in recovery mode and invoke the following command.

1
$ csrutil disable

Preloading will then work, at the detriment of security. Finally, I found this excellent post which explains that SIP can be partially disabled.

1
2
3
4
5
$ csrutil enable --without kext
$ csrutil enable --without fs
$ csrutil enable --without debug
$ csrutil enable --without dtrace
$ csrutil enable --without nvram

I have not tested which combination is minimal and sufficiant in order to allow preloading, if someone knows, please put a comment.


Comments