Issue
The Contrast Python agent fails, crashing the app with the following error:
RuntimeError: failed to install assess patches: Failed to unprotect memory 0x101b78000 (size=4096, prot=read,write,exec) <- 0x101b78a20 (size=5, error=Permission denied)
The contrast-agent.log may also list the following messages:
[Contrast Agent] (patch_controller.py:enable_assess_patches:37) - ERROR - failed to install assess patches: Failed to unprotect memory 0x10d319000 (size=4096, prot=read,write,exec) <- 0x10d319390 (size=5, error=Permission denied)
[Contrast Agent] (patch_controller.py:enable_assess_patches:40) - ERROR - Local python builds on OSX may lead to 'Failed to unprotect memory'
[Contrast Agent] (patch_controller.py:enable_assess_patches:43) - ERROR - If this is applies to you, try running `contrast-fix-interpreter-permissions`
Cause
Locally built versions of Python on macOS Catalina (or newer), such as those installed by pyenv, do not allow Contrast to modify memory in order to install instrumentation necessary to discover vulnerabilities.
Resolution
Versions of the Contrast Python agent starting with version 3.3.3 include a script contrast-fix-interpreter-permissions which can alter your locally built Python executable in order to allow Contrast instrumentation to be supported.
The script should be available on the PATH once version 3.3.3 or newer of the Python agent is installed, and running it will print the following message:
found interpreter: /Users/contrast/.pyenv/versions/3.7.8/bin/python3.7
verifying interpreter filetype - expecting Mach-O
/Users/contrast/.pyenv/versions/3.7.8/bin/python3.7: Mach-O 64-bit executable x86_64
################################### WARNING ###################################
This operation will modify the permissions of your python interpreter to allow
Contrast to apply its instrumentation. This is a workaround for an issue
specific to OSX python builds. `pyenv` is a popular tool that may lead to this
circumstance.
No known prebuilt installations of python have this issue. If you think you've
found one, please contact support@contrastsecurity.com.
This is a permanent in-place modification to your python interpreter. The real
path of your current interpreter is:
/Users/contrast/.pyenv/versions/3.7.8/bin/python3.7
If you wish to continue, please rerun this command with `--modify-interpreter`.
Exiting - no modifications performed.
###############################################################################
In order to apply the changes, re-run the script as instructed with the additional option:
contrast-fix-interpreter-permissions --modify-interpreter
The below message should be seen, indicating the change was successful to allow Contrast instrumentation in your environment:
found interpreter: /Users/contrast/.pyenv/versions/3.7.8/bin/python3.7
verifying interpreter filetype - expecting Mach-O
/Users/contrast/.pyenv/versions/3.7.8/bin/python3.7: Mach-O 64-bit executable x86_64
found --modify-interpreter command line option
the following interpreter will be modified:
/Users/contrast/.pyenv/versions/3.7.8/bin/python3.7
1+0 records in
1+0 records out
1 bytes transferred in 0.000038 secs (26379 bytes/sec)
Success! Your interpreter is now compatible with Contrast's instrumentation.
<%= heading %>