Page 1 of 1


PostPosted: Fri Nov 18, 2016 6:09 pm
by b3ntx
Hey J,

Checking out your sandbox code/presentations and had some issues using sandbox_inspect_pid(). That method always returns 1 whenever I use it via sbtool.

Code: Select all
sandbox_inspect_pid failed (RC: 1)

I've tried on ElCap 10.11.6 (SIP disabled) and Sierra 10.12 (SIP disabled) with same results. Tried with 'sudo' and 'sudo bash; sbtool <pid> inspect'

Any idea what's going on? Did I miss something in your presentation?

Re: sbtool

PostPosted: Sat Nov 19, 2016 1:08 am
by morpheus
Minor but important issue you've overlooked - sbtool inspect only works if the kext cooperates - and it does only if the kernel is deemed to be debuggable (which, in *OS, is via PE_i_can_haz_debugger). The rest of the sbtool functions do work either way, as they use sandbox_check

Re: sbtool

PostPosted: Thu Mar 15, 2018 11:18 am
by 0xdead10cc
Note that at least on 10.12, the kext now requires an Apple internal build.

Because I already had a working Kernel build environment, it was easiest to patch the csr_check function in bsd/kern/kern_csr.c to return 0 when called with CSR_ALLOW_APPLE_INTERNAL. Setting a boot arg should also work, but I did not investigate this further.

After this patch, the inspect functionality should work on 10.12 (and possibly also 10.13).