GNOME Bugzilla – Bug 757616
OS X 10.11 (El Capitan) System Integrity Protection interferes with ability to compile
Last modified: 2018-06-29 23:44:25 UTC
El Cap's System Integrity System negatively affects the ability to compile GnuCash. According to [1]: "System binaries can be modified only by Apple Installer and Software Update from Apple-provided packages, and no longer permit runtime attachment or code injection" I infer the shells such as /bin/sh are system binaries. When a protected system binary is launched, according to [2]: "Any dynamic linker (dyld) environment variables, such as DYLD_LIBRARY_PATH, are purged when launching protected processes." This means that when DYLD_* values are set in a shell, these values are no longer propagated to any subshells. This bites GnuCash when trying to compile Scheme files that want to load dynamic library extensions. For example, consider src/core-utils/core-utils.scm, which contains the line (load-extension "libgnc-core-utils" "scm_init_sw_core_utils_module"))) To accomplish this loading of the extension, the Makefile pass in DYLD_LIBRARY_PATH to the "guild" shell script: GNC_UNINSTALLED=yes \ GNC_BUILDDIR=../.. \ LD_LIBRARY_PATH="../../src/core-utils/.libs:../../src/libqof/qof/.libs:${LD_LIBRARY_PATH}" DYLD_LIBRARY_PATH="../../src/core-utils/.libs:../../src/libqof/qof/.libs:${DYLD_LIBRARY_PATH}" \ $(GUILD) compile -o core-utils.go core-utils.scm Guild is a #!/bin/sh script. If you put an 'env' command in the script before the exec, you will notice that DYLD_LIBRARY_PATH is not part of the environment. El Cap's SIP has purged it. Thus guile can't find the extension compiled dynamic library and fails: In unknown file: ?: 1 [load-extension "libgnc-core-utils" "scm_init_sw_core_utils_module"] In ice-9/boot-9.scm: 106: 0 [#<procedure a574e0 at ice-9/boot-9.scm:97:6 (thrown-k . args)> misc-error ...] ice-9/boot-9.scm:106:20: In procedure #<procedure a574e0 at ice-9/boot-9.scm:97:6 (thrown-k . args)>: ice-9/boot-9.scm:106:20: In procedure dynamic-link: file: "libgnc-core-utils", message: "file not found" One workaround I tried was to have the Makefile.am call the "guile" executable directly, since that would not be a protected executable and not subject to purging: $(GUILE) -e '(@@ (guild) main)' -s $(GUILD) compile -o $@ $< But I still could not get the scheme code to compile. Ultimately, I ran out of time to look at this and just disabled SIP on my box. Then GnuCash compiles fine. [1] https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html [2] https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/RuntimeProtections/RuntimeProtections.html This is prior art for other projects running into this same problem: 1. https://github.com/oracle/node-oracledb/issues/231 2. https://github.com/rethinkdb/rethinkdb/issues/4602
Interesting. I've been poking at this since the first developer preview in May and SIP interference didn't even occur to me.
I found a work-around that I like better than disabling SIP, which is to build bash and change guild so that it's the one in the shebang. Since that's not a system binary it's not protected by SIP and DYLD_LIBRARY_PATH goes on through.
I've added a bash module to gtk-osx-bootstrap.modules and skipped it by default. To enable it add "skip.remove('bash') to jhbuildrc. Since I haven't started using jhbuild conditionals, there's no good way to set up a patch for guild, so one must edit $PREFIX/bin/guild to change the shebang to the self-built bash. After that GnuCash builds correctly.
GnuCash bug tracking has moved to a new Bugzilla host. This bug has been copied to https://bugs.gnucash.org/show_bug.cgi?id=757616. Please update any external references or bookmarks.