1 files changed, 23 insertions, 17 deletions

diff --git a/darwin-bootstrap/posixspawn-hook.c b/darwin-bootstrap/posixspawn-hook.c
index 4254cc8..03d063c 100644
--- a/darwin-bootstrap/posixspawn-hook.c
+++ b/darwin-bootstrap/posixspawn-hook.c
@@ -192,26 +192,32 @@ static int hook_posix_spawn_generic(__typeof__(posix_spawn) *old,
         else
             goto skip;
     } else {
-        /* substituted obviously doesn't want to have bundle_loader run in it
-         * and try to contact substituted.  I have _MSSafeMode=1 in the plist
-         * so that Substrate also leaves it alone, and that's also checked in
-         * this routine, so the strcmp is just a backup.
-         * sshd is here because one of its routines tries to close all file
-         * descriptors after a certain number - fine in a sane system, but
-         * here, if a file descriptor opened with guarded_open_np is closed
-         * with close, it crashes the process (and I don't see any way to cheat
-         * and disable the guard without actually knowing it).  bundle-loader
-         * uses xpc, which uses dispatch, which uses guarded_open_np for its
-         * descriptors.  I could try to hook guarded_open_np for dispatch
-         * instead, but that doesn't help if an actual loaded bundle uses it
-         * from some other library, and I don't want to completely disable this
-         * bug detection measure for all processes.  Just excluding it from
-         * hooking is easier, and doing so provides a tiny bit of extra safety
-         * anyway, because ssh can sometimes be used as a last resort if
-         * hooking is screwing something up.
+        /* - substituted obviously doesn't want to have bundle_loader run in it
+         *   and try to contact substituted.  I have _MSSafeMode=1 in the plist
+         *   so that Substrate also leaves it alone, and that's also checked in
+         *   this routine, so the strcmp is just a backup.
+         * - I am not sure why notifyd is an issue.  Some libc functions
+         *   (localtime) synchronously contact it, which launchd could be
+         *   calling, but I haven't caught it in the act.  XXX I'd like to be
+         *   completely sure that notifyd and nothing else is a problem.
+         * - sshd is here because one of its routines tries to close all file
+         *   descriptors after a certain number - fine in a sane system, but
+         *   here, if a file descriptor opened with guarded_open_np is closed
+         *   with close, it crashes the process (and I don't see any way to
+         *   cheat and disable the guard without actually knowing it).
+         *   bundle-loader uses xpc, which uses dispatch, which uses
+         *   guarded_open_np for its descriptors.  I could try to hook
+         *   guarded_open_np for dispatch instead, but that doesn't help if an
+         *   actual loaded bundle uses it from some other library, and I don't
+         *   want to completely disable this bug detection measure for all
+         *   processes.  Just excluding it from hooking is easier, and doing so
+         *   provides a tiny bit of extra safety anyway, because ssh can
+         *   sometimes be used as a last resort if hooking is screwing
+         *   something up.
          * note: sshd is started with the wrapper, with argv[0] != path
          */
         if (!strcmp(path, "/Library/Substitute/Helpers/substituted") ||
+            !strcmp(path, "/usr/sbin/notifyd") ||
             !strcmp(xbasename(argv[0] ?: ""), "sshd"))
             goto skip;
         else