[Bug 47944] New: Wine64 tries to change permissions in /private/tmp/ that fails on macOS 10.15 Catalina
https://bugs.winehq.org/show_bug.cgi?id=47944
Bug ID: 47944 Summary: Wine64 tries to change permissions in /private/tmp/ that fails on macOS 10.15 Catalina Product: Wine Version: 4.17 Hardware: x86-64 OS: Mac OS X Status: UNCONFIRMED Severity: major Priority: P2 Component: -unknown Assignee: wine-bugs@winehq.org Reporter: mterrisse@free.fr
Hello,
We develop Windows applications that work on Linux and macOS thanks to Wine. Those are 64-bit applications so we thought that we wouldn't have major problems when switching to macOS 10.15 Catalina. We can indeed run the applications with wine64 (Wine 4.17).
But they freeze when they try to display an html browser (CEF, Chromium Embedded Framework) with these errors in the console: 0162:err:virtual:map_file_into_view failed to set PROT_EXEC on file map, noexec filesystem? 0162:err:virtual:virtual_map_section mapping 0x4db0000 1000 000000000 failed
We discovered that it fails on a fresh install, but it works if we disable SIP (System Integrity Protection). We can indeed read this in the system log : kernel (AppleSystemPolicy) Library load (/private/tmp/.wine-1604910507/server-1000004-86265/anonmap.7vgk04) rejected: library load disallowed by system policy
So is there a way to tell Wine not to use /private/tmp but another folder for temporary files?
Regards,
Michel Terrisse
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #1 from Michel Terrisse mterrisse@free.fr --- In the man page of wineserver you can read /tmp/.wine-uid Directory containing the server Unix socket and the lock file. These files are created in a subdirectory generated from the WINEPREFIX directory device and inode numbers.
/tmp is a symbolic link to /private/tmp on macOS So precisely my question is: Is there a way to configure wineserver to use another location for this directory?
Regards,
Michel Terrisse
https://bugs.winehq.org/show_bug.cgi?id=47944
Michel Terrisse mterrisse@free.fr changed:
What |Removed |Added ---------------------------------------------------------------------------- Component|-unknown |wineserver
https://bugs.winehq.org/show_bug.cgi?id=47944
Austin English austinenglish@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |austinenglish@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #2 from Austin English austinenglish@gmail.com --- Generally one would set TMPDIR for that, but wine doesn't respect that. See bug 14838.
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #3 from Michel Terrisse mterrisse@free.fr --- Thank you for that.
We are now trying to rebuild wine 4.17 from code with changes in libs/wine/config.c to change "/tmp/.wine" for something like "/Users/Shared/.wine". I will tell you if it works ore not as soon as possible.
During that time I try to understand what is specific to CEF and makes it crash. The string "anonmap." appears only in server/mapping.c for this function /* create a temp file for anonymous mappings */ static int create_temp_file( file_pos_t size ) called by this one /* allocate and fill the temp file for a shared PE image mapping */ static int build_shared_mapping( struct mapping *mapping, int fd, IMAGE_SECTION_HEADER *sec, unsigned int nb_sec ) that is called by this one : /* retrieve the mapping parameters for an executable (PE) image */ static unsigned int get_image_params( struct mapping *mapping, file_pos_t file_size, int unix_fd ) So Wineserver creates a shared library and tries to load it. Do you know why? This doesn't happen for all the dynamic libraries loaded by the program but just when CEF is trying to display some HTML, and I can't understand what is specific here.
Thank you for your help,
Michel
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #4 from Michel Terrisse mterrisse@free.fr --- It is done, we could rebuild wine 4.17 from code with changes in libs/wine/config.c (to change "/tmp/.wine" for "/Users/Shared/.wine"). And now we have the same error "library load disallowed by system policy" but on the new folder.
So the problem is not the folder itself but the way wineserver creates a library and tries to load it.
What kind of information could I look for to help understanding this problem?
Regards,
Michel Terrisse
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #5 from Alexandre Julliard julliard@winehq.org --- (In reply to Michel Terrisse from comment #3)
During that time I try to understand what is specific to CEF and makes it crash. The string "anonmap." appears only in server/mapping.c for this function /* create a temp file for anonymous mappings */ static int create_temp_file( file_pos_t size ) called by this one /* allocate and fill the temp file for a shared PE image mapping */ static int build_shared_mapping( struct mapping *mapping, int fd, IMAGE_SECTION_HEADER *sec, unsigned int nb_sec ) that is called by this one : /* retrieve the mapping parameters for an executable (PE) image */ static unsigned int get_image_params( struct mapping *mapping, file_pos_t file_size, int unix_fd ) So Wineserver creates a shared library and tries to load it. Do you know why? This doesn't happen for all the dynamic libraries loaded by the program but just when CEF is trying to display some HTML, and I can't understand what is specific here.
That's because it's loading a DLL that contains a shared section. In that case we need to create a tmp file with the contents of the section. Most DLLs don't use shared sections so they work fine.
You should try current git, probably commit 98238aa8736022ec08205e66a4e92f690ddcc711 will help for you case.
https://bugs.winehq.org/show_bug.cgi?id=47944
Ken Thomases ken@codeweavers.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ken@codeweavers.com
--- Comment #6 from Ken Thomases ken@codeweavers.com --- Created attachment 65458 --> https://bugs.winehq.org/attachment.cgi?id=65458 Example entitlements file
In theory, this is due to hardened runtime restrictions. The hardened runtime used to be opt-in, but it seems like its always-on in Catalina.
I expect that if you explicitly enable the hardened runtime and use an entitlements file that disables the relevant restrictions — that is, if you opt in to insecure behavior — these problems would probably go away. I'm attaching an example entitlements file that allows everything that Wine may need (I think).
You'll need a code-signing identity certficate. Then, you would do:
codesign -s <identity> -o runtime --entitlements /path/to/Hardened.entitlements <path to executable>
You'll need to do this for any affected Wine executables, such as wineserver, wine-preloader, and wine64-preloader. Maybe others.
Mind you, I may have some of the specifics wrong. Also, for actual code-signing security, you'd want to specify designated requirements.
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #7 from Michel Terrisse mterrisse@free.fr --- Thank you very much for those answers.
We tried specifying the entitlements with no success for the moment, but we keep trying.
We also tried to build wine from source with the commit 98238aa8736022ec08205e66a4e92f690ddcc711, but couldn't start wine after that. So we will try again with just this commit and the sources from Wine 4.17, we will probably know on Monday if it works.
We also tried with WINEDEBUG=+loaddll to know which dll contains a shared data section. Strangely the latest loaded dll is C:\Windows\System32\CFGMGR32.dll, relative to the Configuration Manager (https://docs.microsoft.com/en-us/windows/win32/api/cfgmgr32/). It is a native dll and it doesn't have a shared section.
Can you confirm that a shared section in a dll is a section with the flag IMAGE_SCN_MEM_SHARED (0x10000000, "The section can be shared in memory.") ?
Thank you for your help,
Michel Terrisse
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #8 from Michel Terrisse mterrisse@free.fr --- Created attachment 65491 --> https://bugs.winehq.org/attachment.cgi?id=65491 Executables and source code to help reproducing the problem
Hello,
I created a dll with a shared section (C language, Visual Studio 2013) and a program to load it (Pascal language, Delphi 10.3.2). If I run it with Wine64 (4.17) under macOS 10.15 Catalina I receive: 003b:err:virtual:map_file_into_view failed to set PROT_EXEC on file map, noexec filesystem? 003b:err:module:map_image Could not map shared section .sdata
and in the system log I can read Library load (/private/tmp/.wine-1604910507/server-1000004-86265/anonmap.0NtRsH) rejected: library load disallowed by system policy
So this is very similar to what happens with CEF, except that with CEF I don't have this message: 003b:err:module:map_image Could not map shared section .sdata
So is there something else that a shared section in a library that can make wineserver generate and load a library like /tmp/.wine-1604910507/server-1000004-86265/anonmap.0NtRsH ?
Regards,
Michel Terrisse
https://bugs.winehq.org/show_bug.cgi?id=47944
Jactry Zeng jactry92@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |jactry92@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=47944
--- Comment #9 from Michel Terrisse mterrisse@free.fr --- We just moved to Wine 4.18 and the bug is fixed!
Thank you for your help,
Michel Terrisse
https://bugs.winehq.org/show_bug.cgi?id=47944
DIN5473 bdinitha2@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |bdinitha2@gmail.com
https://bugs.winehq.org/show_bug.cgi?id=47944
Ken Sharp imwellcushtymelike@gmail.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|UNCONFIRMED |RESOLVED
--- Comment #10 from Ken Sharp imwellcushtymelike@gmail.com --- As above. Re-open if you think that this is an error.
https://bugs.winehq.org/show_bug.cgi?id=47944
Alexandre Julliard julliard@winehq.org changed:
What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED
--- Comment #11 from Alexandre Julliard julliard@winehq.org --- Closing bugs fixed in 5.7.
https://bugs.winehq.org/show_bug.cgi?id=47944
berto_anfam@yahoo.co.id changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |berto_anfam@yahoo.co.id
-
WineHQ Bugzilla