Macos notarization and "Unkown signal" on macos

Macos notarization and "Unkown signal" on macos

[Felix Willgerodt]

[-- Attachment #1: Type: text/plain, Size: 3422 bytes --]

Hi,

Has anyone tried to get GDB to work on macOS 10.15 (beta) with the new 
notarization requirement yet? 
https://developer.apple.com/documentation/security/notarizing_your_app_before_distribution
I looked into that for a couple of days now and managed to get it to run 
with the hardened runtime enabled.

To do so, I mainly changed darwin-nat.c:
* darwin_attach_pid(): Added a loop that tries task_for_pid() 10 times, 
sleeping 10000 usec inbetween. This change was inspired by LLDB and 
seems to be necessary for the hardened runtime.
* darwin_ptrace_me(): Changed the process group setting to occour after 
the ptrace calls (inspired by LLDB)
* darwin_ptrace_him(): Set the child process group to match its pid 
(inspired by LLDB)

I am not sure if the last two are really needed, but it looks like it 
improves the situation overall. The whole thing is a bit of a mess to 
test, as GDB behaves slightly different on 10.14 and 10.15 beta for me. 
It also depends strongly on if the inferior itself has hardened runtime 
enabled.

For the entitlement file I am currently using:

         <key>com.apple.security.cs.debugger</key>
         <true/>
         <key>com.apple.security.get-task-allow</key>
         <true/>
         <key>com.apple.security.cs.disable-library-validation</key>
         <false/>

* The debugger entitlement is obvious.
* The get-task-allow entitlement seems to be needed for GDB. GDB forks 
itself, starts tracing the fork and starts the inferior in this forked 
process with execv(). (details in darwin-nat.c and 
fork-inferior.c:fork-inferior)
To start tracing the forked process before the execv, we need this 
entitlement on GDB itself. LLDB seems to not need this, as LLDB has 
multiple different variations on how to start an inferior on macOS, 
using a posix spawn (default) or macOS app specific methods.
* The disable-library-validation is not really needed. However, 
notarizing apps with get-task-allow is only allowed if you also enable 
disable-library-validation.

I have attached a wip patch (not intended for gdb-patches) if anyone is 
interested in what I did exactly.

My current problem:
The problem I am now facing has little to do with notarization/hardened 
runtime, as it also happens without that on 10.14 and 10.15. GDB 
sometimes hangs in the second wait4 call in 
darwin-nat.c:darwin_decode_message(). The only "solution" to this is a 
"kill -9". The second wait4 in that function makes little sense to me 
and seems to be a workaround for previous macos versions. If I delete 
it, the sporadic hangs stop, and I get sporadic "During startup program 
terminated with signal ?, Unknown signal." messages instead (which is 
preferable imo). I tried to debug this further, but couldn't really find 
the cause or a solution yet. WTERMSIG(wstatus) returns 127 in 
darwin_decode_message() for me. If I add sleep statements after setting 
the process group in darwin_ptrace_me(), I can reduce the frequency of 
these hangs to less than 10%.

Has anyone encountered that as well? Or does anyone have a suggestion on 
what I can still try to fix this?

Thanks,
Felix

Intel Deutschland GmbH
Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Gary Kershaw
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928

[-- Attachment #2: 0001-WIP-macos-10.15.patch --]
[-- Type: text/x-patch, Size: 2905 bytes --]

From ffeea2cc1ab89e52b7f76516dc156f71f01b5cfb Mon Sep 17 00:00:00 2001
From: Felix Willgerodt <felix.willgerodt@intel.com>
Date: Thu, 22 Aug 2019 10:12:36 +0200
Subject: [PATCH] WIP: Fixes for macos 10.15.

Signed-off-by: Felix Willgerodt <felix.willgerodt@intel.com>
---
 gdb/darwin-nat.c | 39 ++++++++++++++++++++++++++++++++-------
 1 file changed, 32 insertions(+), 7 deletions(-)

diff --git a/gdb/darwin-nat.c b/gdb/darwin-nat.c
index 8f71def069d..ef5244b2eb9 100644
--- a/gdb/darwin-nat.c
+++ b/gdb/darwin-nat.c
@@ -1151,7 +1151,7 @@ darwin_decode_message (mach_msg_header_t *hdr,
 			      res_pid, wstatus);
 
 	      /* Looks necessary on Leopard and harmless...  */
-	      wait4 (inf->pid, &wstatus, 0, NULL);
+	      // wait4 (inf->pid, &wstatus, 0, NULL);
 
 	      inferior_ptid = ptid_t (inf->pid, 0, 0);
 	      return inferior_ptid;
@@ -1610,11 +1610,16 @@ darwin_attach_pid (struct inferior *inf)
   darwin_inferior *priv = new darwin_inferior;
   inf->priv.reset (priv);
 
+  const uint32_t num_retries = 10;
+  const uint32_t usec_interval = 10000;
+
   try
     {
-      kret = task_for_pid (gdb_task, inf->pid, &priv->task);
-      if (kret != KERN_SUCCESS)
-	{
+      for (uint32_t i = 1; i <= num_retries; i++)
+       {
+	 kret = task_for_pid (gdb_task, inf->pid, &priv->task);
+	 if (kret != KERN_SUCCESS && i == 10)
+	  {
 	  int status;
 
 	  if (!inf->attach_flag)
@@ -1627,7 +1632,14 @@ darwin_attach_pid (struct inferior *inf)
 	    (_("Unable to find Mach task port for process-id %d: %s (0x%lx).\n"
 	       " (please check gdb is codesigned - see taskgated(8))"),
 	     inf->pid, mach_error_string (kret), (unsigned long) kret);
-	}
+	  }
+	  else
+	    {
+	      break;
+	    }
+
+	  usleep (usec_interval);
+      }
 
       inferior_debug (2, _("inferior task: 0x%x, pid: %d\n"),
 		      priv->task, inf->pid);
@@ -1756,8 +1768,8 @@ darwin_ptrace_me (void)
     trace_start_error_with_name ("close");
 
   /* Get rid of privileges.  */
-  if (setegid (getgid ()) < 0)
-    trace_start_error_with_name ("setegid");
+  //if (setegid (getgid ()) < 0)
+  //trace_start_error_with_name ("setegid");
 
   /* Set TRACEME.  */
   if (PTRACE (PT_TRACE_ME, 0, 0, 0) < 0)
@@ -1766,6 +1778,15 @@ darwin_ptrace_me (void)
   /* Redirect signals to exception port.  */
   if (PTRACE (PT_SIGEXC, 0, 0, 0) < 0)
     trace_start_error_with_name ("PTRACE");
+
+  if (setgid (getgid ()) == 0) {
+
+  // Set the child process group to match its pid.
+  setpgid (0, 0);
+
+  // Sleep a bit to before the exec call.
+  sleep(1);
+  }
 }
 
 /* Dummy function to be sure fork_inferior uses fork(2) and not vfork(2).  */
@@ -1788,6 +1809,10 @@ darwin_ptrace_him (int pid)
 {
   struct inferior *inf = current_inferior ();
 
+  // Set the child process group to match its pid
+  if (pid > 0)
+    setpgid (pid, pid);
+
   darwin_attach_pid (inf);
 
   /* Let's the child run.  */
-- 
2.20.1

Re: Macos notarization and "Unkown signal" on macos

[Eli Zaretskii]

> From: Felix Willgerodt <felix.willgerodt@intel.com>
> Date: Wed, 4 Sep 2019 16:32:12 +0200
> 
> * darwin_attach_pid(): Added a loop that tries task_for_pid() 10 times, 
> sleeping 10000 usec inbetween. This change was inspired by LLDB and 
> seems to be necessary for the hardened runtime.
> * darwin_ptrace_me(): Changed the process group setting to occour after 
> the ptrace calls (inspired by LLDB)
> * darwin_ptrace_him(): Set the child process group to match its pid 
> (inspired by LLDB)

Bother: could "inspired by LLDB" mean that the code was copied from
there?  This could mean legal problems if we accept such code.

IOW, how much of the code is actually your own original code?

RE: Macos notarization and "Unkown signal" on macos

[Willgerodt, Felix]

Sorry for not responding earlier, but I was out sick the last weeks.

I intentionally copied some lines to make it easier to find the relevant part in the LLDB source code, just in case anyone else wants to dig deeper. Macos documentation on this is unfortunately rather sparse, so every bit helps IMO.
I know that this would cause legal issues, which is why I only posted my findings here and not in the patches mailing list. My intention was to start a discussion on how to solve the problem, not to get this patch accepted. I am confident that we can come up with a patch that doesn't infringe any copyright. 90% of the patch are "normal" system calls anyway.

Felix


-----Original Message-----
From: Eli Zaretskii [mailto:eliz@gnu.org] 
Sent: Wednesday, September 4, 2019 5:02 PM
To: Willgerodt, Felix <felix.willgerodt@intel.com>
Cc: gdb@sourceware.org
Subject: Re: Macos notarization and "Unkown signal" on macos

> From: Felix Willgerodt <felix.willgerodt@intel.com>
> Date: Wed, 4 Sep 2019 16:32:12 +0200
> 
> * darwin_attach_pid(): Added a loop that tries task_for_pid() 10 times, 
> sleeping 10000 usec inbetween. This change was inspired by LLDB and 
> seems to be necessary for the hardened runtime.
> * darwin_ptrace_me(): Changed the process group setting to occour after 
> the ptrace calls (inspired by LLDB)
> * darwin_ptrace_him(): Set the child process group to match its pid 
> (inspired by LLDB)

Bother: could "inspired by LLDB" mean that the code was copied from
there?  This could mean legal problems if we accept such code.

IOW, how much of the code is actually your own original code?
Intel Deutschland GmbH
Registered Address: Am Campeon 10-12, 85579 Neubiberg, Germany
Tel: +49 89 99 8853-0, www.intel.de
Managing Directors: Christin Eisenschmid, Gary Kershaw
Chairperson of the Supervisory Board: Nicole Lau
Registered Office: Munich
Commercial Register: Amtsgericht Muenchen HRB 186928