Bug 103490 - macOS: xquartz relies on SIP whitelist to install
Summary: macOS: xquartz relies on SIP whitelist to install
Alias: None
Product: XQuartz
Classification: Unclassified
Component: New Bugs (show other bugs)
Version: 2.7.11 (xserver-1.18.4)
Hardware: Other Mac OS X (All)
: medium major
Assignee: Jeremy Huddleston Sequoia
QA Contact: Jeremy Huddleston Sequoia
Depends on:
Reported: 2017-10-27 17:48 UTC by testy
Modified: 2017-10-28 15:58 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Description testy 2017-10-27 17:48:53 UTC
System Integrity Protection in macOS prevents processes writing to system locations.
There is currently a "compatibility bundle" at this location:


These appear to be system locations that processes can write to even with SIP enabled.

When I install Xquartz I see that in the post install script its builds a font cache and puts data in these locations (that part of that compatibility list):


If Apple were to remove these entries from the list in the future I think that would cause the post install script to fail, which would fail the entire install. This seems likely to happen.

Could this data be relocated elsewhere?
Comment 1 Jeremy Huddleston Sequoia 2017-10-28 15:58:43 UTC
Not without breaking binary compatibility with shipping 3rd party apps, which is why we have them listed there.

If we ever remove the compatibility exceptions for some reason, X11 will stop finding fonts in those paths when using the older font system.  The newer font system will continue to find them because fontconfig stores that data in an external cache.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.