macOS VM doesn't reliably disable System Integrity Protection (SIP)

#1

Issue Description

For a few days, our macOS VMs spontaneously switch between having an enabled or disabled System Integrity Protection (SIP). Our build process relies on having SIP turned off so the build often fails. We can’t identify a pattern here but it’s failing more than it succeeds and rebuilding a couple of times solves the issue most of the time.

Environment:

Where did the issue happen?

We’re using a macOS VM with an Xcode 11.3.x on macOS 10.14.6 (Mojave) Stack triggered by Bitbucket via a pull request.

Which build Step causes the issue and which version of the step?

The issue happens in a bash Script step (v1.1.5) when we attempt to write into an SIP protected directory (~/Library/Containers/com.apple.mail/…).

Reproducibility

Most of the time when we trigger Bitrise using a pull request, the build fails. Manually rebuilding a couple times finally makes the build succeed. The issue seems to have started a few days ago.

We can verify that the unintentionally enabled Security Integrity Protection is the cause of this error because we’re echoing csrutil status in the script step before we make the failing call and the result is often: System Integrity Protection status: enabled.

Affected Build URL

0 Likes

#2

Hi @tobi!

Sorry to hear about the issue, sorry for the delay. We are taking a look and getting back to you ASAP.

0 Likes

#3

Hi @tobi ,

Thank you for your patience.

I have great news! This is being worked on and should be rolled out over the weekend.

I will update you on Monday to confirm this has happened.

Kind regards,
Luna

0 Likes

#4

Thank you very much for the updates, @non-binary and @bitce. I appreciate it!

0 Likes

#5

Unfortunately, as of today, we’re still experiencing that same issue. We haven’t changed the stack.

0 Likes

#6

Are there any updates regarding this issue? Thank you very much!

Best regards,
Tobias

0 Likes

#7

Apple introduced a new security feature in January 2020 called System Integrity Protection (https://support.apple.com/en-us/HT204899). If enabled, it protects certain OS folders, and they cannot be accessed.

At the moment, this feature is turned off in one of our data centers, and we are working on turning it off in the other one too. What this means to you is that some of the Steps (Soundflower is a known suspect) might break due to this setting in the next 2-3 weeks, even if we’ve implemented a temporary fix and are working on a solution.

If you encounter problems, please let us know. (https://www.bitrise.io/contact)

0 Likes

closed #8

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

0 Likes