Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[service] macOS DYLD_LIBRARY_PATH removed due to System Integrity Protection #8443

Open
sh0 opened this issue Dec 15, 2021 · 4 comments
Open

[service] macOS DYLD_LIBRARY_PATH removed due to System Integrity Protection #8443

sh0 opened this issue Dec 15, 2021 · 4 comments

Comments

@sh0
Copy link
Contributor

sh0 commented Dec 15, 2021

macOS since 10.11 El Capitan strips DYLD_LIBRARY_PATH environment variable for child processes. It is a security measure called System Integrity Protection (SIP). This can cause issues with relocating Conan binary packages. Paricularly in CI.

Take glib for example which includes glib-compile-resources tool that is linked with glib, gio and gobject libraries. Now originally CI built the binary package at /Users/jenkins/w/BuildSingleReference/.conan/data/glib/2.70.0/_/_/package/fa44afc4793c5d03aff181b297994be9fbcb275b. However when building another library (aravis) glib got unpacked at /Users/jenkins/w/BuildSingleReference@2/.conan/data/glib/2.70.0/_/_/package/fa44afc4793c5d03aff181b297994be9fbcb275b on the CI machine. Notice the @2 difference in path. As a result the dynamic library can no longer be found by full path. We could solve the problem by supplying DYLD_LIBRARY_PATH through with tools.environment_append(RunEnvironment(self).vars). Unfortunately the env variable is nuked due to SIP and library is not found with following error:

dyld: Library not loaded: /Users/jenkins/w/BuildSingleReference/.conan/data/glib/2.70.0/_/_/package/fa44afc4793c5d03aff181b297994be9fbcb275b/lib/libgio-2.0.0.dylib
  Referenced from: /Users/jenkins/w/BuildSingleReference@2/.conan/data/glib/2.70.0/_/_/package/fa44afc4793c5d03aff181b297994be9fbcb275b/bin/glib-compile-resources
  Reason: image not found

See PR #8379 for an example where this is an issue.

Steps to reproduce:

  1. Build glib with glib:shared=True.
  2. Relocate installed package to some other directory.
  3. Run glib-compile-resources with proper DYLD_LIBRARY_PATH.
  4. Result should be dyld: Library not loaded with Reason: image not found

Potential solutions:

  1. Disable SIP in macOS build machines.
  2. Ensure CI always unpacks package at same location.
  3. Use @executable_path relative locations for libraries. Likely a very complex fix in multiple packages.

I made examples using glib here, but this bug affects all packages which have exeutables linked with dynamic libraries and are ran during build step of some other recipe.
@ericLemanissier
Copy link
Contributor

ericLemanissier commented Dec 15, 2021
edited
Loading

I think conan-io/conan#7324 intends to solve this problem
see also #8084

@sh0
Copy link
Contributor Author

sh0 commented Dec 16, 2021

This is what I was looking for indeed 👍 I only searched conan center issues so I didn't see those PRs.

Still I'm not exactly sure how the shell script wrappers can defeat macOS SIP as they also launch child processes which stips DYLD_* variables...

@ericLemanissier
Copy link
Contributor

DYLD_LIBRARY_PATH is not stripped if it passed directly to the process (on the same command line) DYLD_LIBRARY_PATH=/path/to/libs runfoo

@sh0
Copy link
Contributor Author

sh0 commented Dec 16, 2021

Aha, got it. Thanks.

@mwestphal mwestphal mentioned this issue Jan 8, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sh0 @ericLemanissier