MacOS虚拟网络摄像头本质上与10.14的强化运行时库验证不兼容吗? [英] Are MacOS Virtual Webcams inherently incompatible with 10.14's Hardened Runtime Library Validation?

问题描述

Zoom for Mac 4.6.9 严重的安全漏洞的a>删除了

Zoom for Mac 4.6.9, which addresses scary security flaws, removes the disable-library-validation entitlement.

使用同一版本的虚拟网络摄像头应用程序Snap Camera，

With the same release, Snap Camera, a virtual webcam app, stopped working.

我不熟悉用于构建虚拟网络摄像头的特定API，但看起来它涉及到CoreMediaIO插件:

I'm not familiar with the particular APIs you use to build a virtual webcam, but it looks like it involves CoreMediaIO plugins:

为OS X创建虚拟网络摄像头设备

> otool -L /Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera
/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera:
    libSnapCamera.dylib (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation (compatibility version 150.0.0, current version 1452.23.0)
    /System/Library/Frameworks/CoreMedia.framework/Versions/A/CoreMedia (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreMediaIO.framework/Versions/A/CoreMediaIO (compatibility version 1.0.0, current version 1.0.0)
    /System/Library/Frameworks/CoreVideo.framework/Versions/A/CoreVideo (compatibility version 1.2.0, current version 1.5.0)
    /System/Library/Frameworks/Foundation.framework/Versions/C/Foundation (compatibility version 300.0.0, current version 1452.23.0)
    /System/Library/Frameworks/IOKit.framework/Versions/A/IOKit (compatibility version 1.0.0, current version 275.0.0)
    /System/Library/Frameworks/IOSurface.framework/Versions/A/IOSurface (compatibility version 1.0.0, current version 1.0.0)
    /usr/lib/libc++.1.dylib (compatibility version 1.0.0, current version 400.9.0)
    /usr/lib/libSystem.B.dylib (compatibility version 1.0.0, current version 1252.50.4)

出于好奇，我尝试了一些其他的虚拟网络摄像头- Iriun网络摄像头和

Out of curiosity, I tried a couple other virtual webcams -- Iriun Webcam and EpocCam –- and they behave similarly. Both have CoreMediaIO plugins, and neither works with recent Zoom.

所有三个虚拟摄像机都可以在Microsoft Teams中使用，并具有以下权利:

All three virtual cameras work in Microsoft Teams, which has the entitlement:

> codesign -d --entitlements :- /Applications/Microsoft\ Teams.app/ |grep valid
Executable=/Applications/Microsoft Teams.app/Contents/MacOS/Teams
    <key>com.apple.security.cs.disable-library-validation</key>

它们还可以在Google Chrome中使用(在此测试页).看来，Chrome的助手中至少有一位具有以下权利:

They also work in Google Chrome (on this test page). It looks like at least one of Chrome's helpers has the entitlement:

codesign -d --entitlements :- /Applications/Google\ Chrome.app/Contents/Frameworks/Google\ Chrome\ Framework.framework/Versions/81.0.4044.92/Helpers/Google\ Chrome\ Helper\ \(Plugin\).app
Executable=/Applications/Google Chrome.app/Contents/Frameworks/Google Chrome Framework.framework/Versions/81.0.4044.92/Helpers/Google Chrome Helper (Plugin).app/Contents/MacOS/Google Chrome Helper (Plugin)
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>

我还注意到该插件出现在Activity Monitor的打开文件和端口中，属于Teams和Chrome的几个进程. (/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera)

I've also noticed that the plugin appears in Activity Monitor's Open Files and Ports for a couple processes belonging to Teams and Chrome. (/Library/CoreMediaIO/Plug-Ins/DAL/SnapCamera.plugin/Contents/MacOS/SnapCamera)

CoreMedia虚拟网络摄像头插件如何工作，它们与库验证存在内在冲突吗? (例如，以不再允许的方式将库加载到相机使用过程中)

How do CoreMedia Virtual Webcam plugins work, and do they inherently conflict with Library Validation? (e.g., loading a library into the camera-using process in a way that's no longer permitted)

在不运行Hardened Runtime的情况下，是否不再可以在MacOS上创建虚拟网络摄像头?

Is it no longer possible to create Virtual Webcams on MacOS without running afoul of Hardened Runtime?

更新4/19:Zoom的更改日志对于4.6.10现在说"Zoom暂时删除了对虚拟摄像机的支持." .看看他们是否/如何重新启用它会很有趣. (也许将权利限制为仅在需要时使用的帮助程序?)

Update 4/19: Zoom's changelog for 4.6.10 now says "Zoom has temporarily removed virtual camera support.". It'll be interesting see see if/how they reenable it. (perhaps limiting the entitlement to a helper process that's only used when needed?)

推荐答案

我在Catalina 10.15.5上的Microsoft Skype for MacOS(8.61.0.95)遇到了相同的问题

I had the same problem with Microsoft Skype for MacOS (8.61.0.95) on Catalina 10.15.5

我能够通过

cd /Applications/Skype.app/Contents/Frameworks

，然后删除 全部 Skype的.app部分的签名，即

and then removing the signatures for all the .app parts of Skype, i.e.

codesign --remove-signature Skype\ Helper.app

codesign --remove-signature Skype\ Helper\ \(GPU\).app

codesign --remove-signature Skype\ Helper\ \(Plugin\).app

codesign --remove-signature Skype\ Helper\ \(Renderer\).app

然后，重新启动Skype.

Afterwards, restart Skype.

现在在设置"中，当您选择摄像机"时，应该看到出现了CamTwist和CamTwist(2VUY).

Now in the Settings, when you select the Camera, you should see CamTwist and CamTwist (2VUY) appear.

类似的修复与缩放配合使用:

Similar fix works with zoom:

codesign --remove-signature /Applications/zoom.us.app\

这篇关于MacOS虚拟网络摄像头本质上与10.14的强化运行时库验证不兼容吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！