Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Are MacOS Virtual Webcams inherently incompatible with 10.14's Hardened Runtime Library Validation?

Initial Observation

Zoom for Mac 4.6.9, which addresses scary security flaws, removes the disable-library-validation entitlement.

With the same release, Snap Camera, a virtual webcam app, stopped working.

Research

I'm not familiar with the particular APIs you use to build a virtual webcam, but it looks like it involves CoreMediaIO plugins:

Creating a Virtual Webcam Device for OS X

> otool -L /Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera
/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera:
    libSnapCamera.dylib (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1452.23.0)
    /System/Library/Frameworks/CoreMedia.framework/Versions/A/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/CoreMediaIO (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1452.23.0)
    /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
    /System/Library/Frameworks/IOSurface.framework/Versions/A/IOSurface (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)

Out of curiosity, I tried a couple other virtual webcams -- Iriun Webcam and EpocCam –- and they behave similarly. Both have CoreMediaIO plugins, and neither works with recent Zoom.

All three virtual cameras work in Microsoft Teams, which has the entitlement:

> codesign -d --entitlements :- /Applications/Microsoft\ Teams.app/ |grep valid
Executable=/Applications/Microsoft Teams.app/Contents/MacOS/Teams
    <key>com.apple.security.cs.disable-library-validation</key>

They also work in Google Chrome (on this test page). It looks like at least one of Chrome's helpers has the entitlement:

codesign -d --entitlements :- /Applications/Google\ Chrome.app/Contents/Frameworks/Google\ Chrome\ Framework.framework/Versions/81.0.4044.92/Helpers/Google\ Chrome\ Helper\ \(Plugin\).app
Executable=/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/81.0.4044.92/Helpers/Google Chrome Helper (Plugin).app/Contents/MacOS/Google Chrome Helper (Plugin)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>

I've also noticed that the plugin appears in Activity Monitor's Open Files and Ports for a couple processes belonging to Teams and Chrome. (/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera)

Question

How do CoreMedia Virtual Webcam plugins work, and do they inherently conflict with Library Validation? (e.g., loading a library into the camera-using process in a way that's no longer permitted)

Is it no longer possible to create Virtual Webcams on MacOS without running afoul of Hardened Runtime?


Update 4/19: Zoom's changelog for 4.6.10 now says "Zoom has temporarily removed virtual camera support.". It'll be interesting see see if/how they reenable it. (perhaps limiting the entitlement to a helper process that's only used when needed?)

like image 420
jrr Avatar asked Apr 09 '20 05:04

jrr


People also ask

How to disable library validation macos?

Use the Disable Library Validation Entitlement if your program loads plug-ins that are signed by other third-party developers. To add this entitlement to your app, first enable the Hardened Runtime capability in Xcode, and then under Runtime Exceptions, select Disable Library Validation.

How do I enable hardened runtime?

To enable the Hardened Runtime for your app, navigate in Xcode to your target's Signing & Capabilities information and click the + button. In the window that appears, choose Hardened Runtime.


1 Answers

I had the same problem with Microsoft Skype for MacOS (8.61.0.95) on Catalina 10.15.5

I was able to fix this by going to

cd /Applications/Skype.app/Contents/Frameworks

and then removing the signatures for all the .app parts of Skype, i.e.

codesign --remove-signature Skype\ Helper.app

codesign --remove-signature Skype\ Helper\ \(GPU\).app

codesign --remove-signature Skype\ Helper\ \(Plugin\).app

codesign --remove-signature Skype\ Helper\ \(Renderer\).app

Afterwards, restart Skype.

Now in the Settings, when you select the Camera, you should see CamTwist and CamTwist (2VUY) appear.

Similar fix works with zoom:

codesign --remove-signature /Applications/zoom.us.app\

like image 78
Siegfried Loeffler Avatar answered Sep 27 '22 18:09

Siegfried Loeffler