Apple recently changed the definition of ````com.apple.security.cs.disable-library-validation```` so that it matches the behavior we observed on Mojave. And I believe the more strict behavior of Catalina Beta was changed to match the new less strict definition in Beta 4. See bug 1570840 for more information. Once bug 1570840 lands, it should not be possible to use DYLD_INSERT_LIBRARIES to inject an __unsigned__ library. We should still work to prevent using DYLD_INSERT_LIBRARIES to inject __signed__ libraries. We need to make the necessary Firefox changes so that we can set the ````com.apple.security.cs.allow-dyld-environment-variables```` entitlement to false (at least on production builds).
Bug 1562756 Comment 12 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Apple recently changed the definition of ````com.apple.security.cs.disable-library-validation```` so that it matches the behavior we observed on Mojave. And I believe the more strict behavior of Catalina Beta was changed to match the new less strict definition in Beta 4. See bug 1570840 for more information. ~~Once bug 1570840 lands, it should not be possible to use DYLD_INSERT_LIBRARIES to inject an __unsigned__ library.~~ Update: We can't set ````com.apple.security.cs.disable-library-validation=false```` because we still need to load libraries signed by different Apple developer team ID's. More details on the bug. We should still work to prevent using DYLD_INSERT_LIBRARIES to inject __signed__ libraries. We need to make the necessary Firefox changes so that we can set the ````com.apple.security.cs.allow-dyld-environment-variables```` entitlement to false (at least on production builds).