为什么 Free Pascal dylib 需要 DYLD 环境变量?
Why does a Free Pascal dylib need DYLD environment variables?
我有一个 Mac 应用程序,主要使用 Xcode 构建,它使用通过 Lazarus 使用 Free Pascal 构建的动态库 (dylib)。当我打开 Apple 的 "Hardened Runtime" 功能时,dylib 停止工作,直到我选中 "Allow DYLD Environment Variables" 选项。这被描述为 "Allows an application to be impacted by DYLD environment variables, which can be used to inject code into the process." 那个代码注入位听起来像是我想避免的事情。知道为什么会发生这种情况或我能做些什么吗?
回答评论中提出的一些问题:
我不确定到底是什么失败了,因为我没有编写 dylib。它可能一直在尝试通过 Internet 与服务器通信。我现在所知道的是它返回了一个意外且无用的错误代码。
应用程序使用 dlopen 和 dlsym 调用 dylib 中的函数。 dylib 位于应用程序的 Contents/Frameworks 子目录中。该应用程序未在 Info.plist 或代码中设置任何环境变量。
otool -L dylib 的输出:
@rpath/lib<redacted>.dylib (compatibility version 0.0.0, current version 0.0.0)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0)
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1258.1.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1259.0.0)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1404.47.0)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 48.0.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 728.13.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
otool -L 主要可执行文件的输出:
/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.251.4)
/System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)
/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate (compatibility version 1.0.0, current version 4.0.0)
/System/Library/Frameworks/CoreMedia.framework/Versions/A/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
@rpath/Quesa.framework/Versions/A/Quesa (compatibility version 1.6.0, current version 2.0.0)
@executable_path/../Frameworks/Ming.framework/Versions/A/Ming (compatibility version 0.0.0, current version 0.0.0)
@rpath/SBEngineLib4.framework/Versions/A/SBEngineLib4 (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Quartz.framework/Versions/A/Quartz (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.22.0)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 50.1.0)
/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 158.0.0)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 23.0.0)
/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook (compatibility version 1.0.0, current version 1893.0.0)
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 963.250.1)
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 607.1.40)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1570.15.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.4)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.250.1)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1671.40.118)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1570.15.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 944.3.0)
/System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
更新:我在 dlopen 设置了一个断点,发现有问题的 dylib 试图通过名称而不是完整路径打开另一个 dylib libiconv.dylib。事实证明,在没有特殊授权的情况下,在强化运行时失败。
Free Pascal dylib 显然 dlopen("libiconv.dylib", ...) 仅使用文件名而没有路径。这依赖于 dyld 在 $LD_LIBRARY_PATH、$DYLD_LIBRARY_PATH、当前工作目录和 $DYLD_FALLBACK_LIBRARY_PATH 中搜索(或者,如果最后一个未定义,$HOME/lib、/usr/local/lib, 和 /usr/lib).
但是,dyld 不会在任何地方搜索没有允许 DYLD 环境变量授权的强化运行时进程。只有完整路径才有效。
dylib 要么必须以某种方式更改(如果可以的话),要么尽管存在风险(我认为这不是特别严重),您仍需要启用允许 DYLD 环境变量。
我有一个 Mac 应用程序,主要使用 Xcode 构建,它使用通过 Lazarus 使用 Free Pascal 构建的动态库 (dylib)。当我打开 Apple 的 "Hardened Runtime" 功能时,dylib 停止工作,直到我选中 "Allow DYLD Environment Variables" 选项。这被描述为 "Allows an application to be impacted by DYLD environment variables, which can be used to inject code into the process." 那个代码注入位听起来像是我想避免的事情。知道为什么会发生这种情况或我能做些什么吗?
回答评论中提出的一些问题:
我不确定到底是什么失败了,因为我没有编写 dylib。它可能一直在尝试通过 Internet 与服务器通信。我现在所知道的是它返回了一个意外且无用的错误代码。
应用程序使用 dlopen 和 dlsym 调用 dylib 中的函数。 dylib 位于应用程序的 Contents/Frameworks 子目录中。该应用程序未在 Info.plist 或代码中设置任何环境变量。
otool -L dylib 的输出:
@rpath/lib<redacted>.dylib (compatibility version 0.0.0, current version 0.0.0)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 22.0.0)
/usr/lib/libiconv.2.dylib (compatibility version 7.0.0, current version 7.0.0)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1226.10.1)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1258.1.0)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1259.0.0)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1404.47.0)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 48.0.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 728.13.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
otool -L 主要可执行文件的输出:
/System/Library/Frameworks/Security.framework/Versions/A/Security (compatibility version 1.0.0, current version 58286.251.4)
/System/Library/Frameworks/AVFoundation.framework/Versions/A/AVFoundation (compatibility version 1.0.0, current version 2.0.0)
/System/Library/Frameworks/AudioToolbox.framework/Versions/A/AudioToolbox (compatibility version 1.0.0, current version 492.0.0)
/System/Library/Frameworks/Accelerate.framework/Versions/A/Accelerate (compatibility version 1.0.0, current version 4.0.0)
/System/Library/Frameworks/CoreMedia.framework/Versions/A/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
@rpath/Quesa.framework/Versions/A/Quesa (compatibility version 1.6.0, current version 2.0.0)
@executable_path/../Frameworks/Ming.framework/Versions/A/Ming (compatibility version 0.0.0, current version 0.0.0)
@rpath/SBEngineLib4.framework/Versions/A/SBEngineLib4 (compatibility version 1.0.0, current version 1.0.0)
/System/Library/Frameworks/Quartz.framework/Versions/A/Quartz (compatibility version 1.0.0, current version 1.0.0)
/usr/lib/libsqlite3.dylib (compatibility version 9.0.0, current version 274.22.0)
/System/Library/Frameworks/ApplicationServices.framework/Versions/A/ApplicationServices (compatibility version 1.0.0, current version 50.1.0)
/System/Library/Frameworks/Carbon.framework/Versions/A/Carbon (compatibility version 2.0.0, current version 158.0.0)
/System/Library/Frameworks/Cocoa.framework/Versions/A/Cocoa (compatibility version 1.0.0, current version 23.0.0)
/System/Library/Frameworks/AddressBook.framework/Versions/A/AddressBook (compatibility version 1.0.0, current version 1893.0.0)
/System/Library/Frameworks/SystemConfiguration.framework/Versions/A/SystemConfiguration (compatibility version 1.0.0, current version 963.250.1)
/System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
/System/Library/Frameworks/WebKit.framework/Versions/A/WebKit (compatibility version 1.0.0, current version 607.1.40)
/System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1570.15.0)
/usr/lib/libobjc.A.dylib (compatibility version 1.0.0, current version 228.0.0)
/usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.4)
/usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.250.1)
/System/Library/Frameworks/AppKit.framework/Versions/C/AppKit (compatibility version 45.0.0, current version 1671.40.118)
/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1570.15.0)
/System/Library/Frameworks/CoreServices.framework/Versions/A/CoreServices (compatibility version 1.0.0, current version 944.3.0)
/System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
/System/Library/Frameworks/QuartzCore.framework/Versions/A/QuartzCore (compatibility version 1.2.0, current version 1.11.0)
更新:我在 dlopen 设置了一个断点,发现有问题的 dylib 试图通过名称而不是完整路径打开另一个 dylib libiconv.dylib。事实证明,在没有特殊授权的情况下,在强化运行时失败。
Free Pascal dylib 显然 dlopen("libiconv.dylib", ...) 仅使用文件名而没有路径。这依赖于 dyld 在 $LD_LIBRARY_PATH、$DYLD_LIBRARY_PATH、当前工作目录和 $DYLD_FALLBACK_LIBRARY_PATH 中搜索(或者,如果最后一个未定义,$HOME/lib、/usr/local/lib, 和 /usr/lib).
但是,dyld 不会在任何地方搜索没有允许 DYLD 环境变量授权的强化运行时进程。只有完整路径才有效。
dylib 要么必须以某种方式更改(如果可以的话),要么尽管存在风险(我认为这不是特别严重),您仍需要启用允许 DYLD 环境变量。