Add missing exec hooks on partial load, macOS

changelog.d/+enable-exec-hooks-on-sip.fixed.md

@@ -0,0 +1 @@
+Add missing exec hooks on partial load, macOS

mirrord/layer/src/exec_utils.rs

@@ -62,6 +62,17 @@
 #[mirrord_layer_macro::instrument(level = "trace")]
 pub(super) fn patch_if_sip(path: &str) -> Detour<String> {
     let patch_binaries = PATCH_BINARIES.get().expect("patch binaries not set");
+    // some binaries don't need to be sip patched, because they don't chain-execute (i.e we don't
+    // care about the commands they run) for example, "go run" needs to be sip patched because
+    // it builds then executes. but gcc never executes the binary, so we don't need to sip patch
+    // it.
+    const BYPASS_BINARIES: &[&str] = &[
+        "/uname",
+        "/xcrun"
+    ];
+    if BYPASS_BINARIES.iter().any(|bin| path.ends_with(bin)) {
+        return Bypass(NoSipDetected(path.to_string()));
+    }
     match sip_patch(path, patch_binaries) {
         Ok(None) => Bypass(NoSipDetected(path.to_string())),
         Ok(Some(new_path)) => Success(new_path),

mirrord/layer/src/lib.rs

@@ -456,7 +456,9 @@ fn sip_only_layer_start(mut config: LayerConfig, patch_binaries: Vec<String>) {
     load_only_layer_start(&config);
 
     let mut hook_manager = HookManager::default();
-
+    unsafe {
+        exec_hooks::hooks::enable_exec_hooks(&mut hook_manager);
+    }
     unsafe { exec_utils::enable_macos_hooks(&mut hook_manager, patch_binaries) };
 
     // we need to hook file access to patch path to our temp bin.

mirrord/layer/src/load.rs

@@ -27,13 +27,17 @@
         "link",
         "math",
         "cargo",
+        "clang",
+        "compile",
         "hpack",
         "rustc",
-        "compile",
         "collect2",
         "cargo-watch",
         "debugserver",
         "jspawnhelper",
+        "strip",
+        "dsymutil",
+        "xcrun"
     ])
 });