So I'm building the macOS app, which includes a framework which embeds Python code. Some of the Python modules do dynamically load shared objects. I have put the shared objects under "PlugIns", and there are symlinks from the location where Python expects them to be. I.e.:
Python tries to mmap the object from:
MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so
but this is actually a symlink to:
MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/A/PlugIns/site-packages/lxml/etree.cpython-39-darwin.so
Both the framework and app are codesigned:
% codesign -v -vvv ./MySampleApp.app/
./MySampleApp.app/: satisfies its Designated Requirement
When Python tries to run its code howerer, it fails with the following error message:
dlopen(MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so, 2): no suitable image found. Did find:
MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so: code signing blocked mmap() of 'MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so'
Furthermore, at the time it happens I see the following message in system log:
default 09:13:25.897428+0200 kernel MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/A/PlugIns/site-packages/lxml/etree.cpython-39-darwin.so: Possible race detected. Rejecting.
What does this message mean exactly and how can I identify the cause of the issue? The same code runs without problems when I disable system integrity protection. The app is not designed for sandboxing. Hardened runtime is enabled.
Python tries to mmap the object from:
MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so
but this is actually a symlink to:
MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/A/PlugIns/site-packages/lxml/etree.cpython-39-darwin.so
Both the framework and app are codesigned:
% codesign -v -vvv ./MySampleApp.app/
-prepared:/Users/piotr/MySampleApp.app/Contents/MacOS/wl-cli
-validated:/Users/piotr/MySampleApp.app/Contents/MacOS/wl-cli
-prepared:/Users/piotr/MySampleApp.app/Contents/Library/LoginItems/wlclientd.app
-validated:/Users/piotr/MySampleApp.app/Contents/Library/LoginItems/wlclientd.app
-prepared:/Users/piotr/MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/Current/.
-validated:/Users/piotr/MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/Current/.
./MySampleApp.app/: satisfies its Designated Requirement
When Python tries to run its code howerer, it fails with the following error message:
dlopen(MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so, 2): no suitable image found. Did find:
MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so: code signing blocked mmap() of 'MySampleApp.app/Contents/Frameworks/MySample.framework/Resources/python/lib/python3.9/site-packages/lxml/etree.cpython-39-darwin.so'
Furthermore, at the time it happens I see the following message in system log:
default 09:13:25.897428+0200 kernel MySampleApp.app/Contents/Frameworks/MySample.framework/Versions/A/PlugIns/site-packages/lxml/etree.cpython-39-darwin.so: Possible race detected. Rejecting.
What does this message mean exactly and how can I identify the cause of the issue? The same code runs without problems when I disable system integrity protection. The app is not designed for sandboxing. Hardened runtime is enabled.
