task_for_pid-allow on OS X

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

task_for_pid-allow on OS X

Postby LIJI » Sat Sep 12, 2015 6:00 pm


I'm trying to make my task_for_pid executable run without root. However, taskgated keeps killing me for various reasons, related to the lack of a provisioning profile (Running on 10.10).

What do I have to do to allow task_for_pid on a non-root process? LLDB does that and I can't figure out how (For some reason, codesign -d shows it doesn't even have any entitlements, which doesn't make any sense).

I'm fine with self-signed code or "signing" with ldid.

Posts: 14
Joined: Sat Sep 12, 2015 5:43 pm

Re: task_for_pid-allow on OS X

Postby morpheus » Sat Sep 12, 2015 10:00 pm

lldb doesn't need any entitlements - the task_for_pid is actually done by debugserver. taskgated is then run (task gated -s) and you get the familiar prompt that's displayed. If the user approves, you can then run the attachment. debug server is validly code signed by AAPL.

to get code signatures and ldid like code, you'd need (as of 10.10) to get past amfi. Self signing when you're asking for entitlements will actually get you killed:

Code: Select all
bash-3.2# cc a.c -o a
bash-3.2# cat a.c
#include <stdio.h>
int main ()
   return (0);
bash-3.2# ./a
bash-3.2# ldid -S a
## Note running self signed is fine (vm.cs_enforcement is 0)
bash-3.2# ./a
bash-3.2# ldid -Sent.xml ./a
## But running with entitlements kills you
bash-3.2# ./a
Killed: 9

Some options:

A) Change taskgated's plist to be with "-p", and then get yourself in procmod/procview , as per legacy opeation
B) circumvent amfi by passing the amfi_get_out_of_my_way (there's also unrestrict_task_for_pid but apparently it got compiled out of OS X)
C) validly sign your code with a root cert that you import into the system keychain yourself. Then entitle yourself to whatever
D) do the whole thing as root.
Site Admin
Posts: 697
Joined: Thu Apr 11, 2013 6:24 pm

Re: task_for_pid-allow on OS X

Postby LIJI » Sun Sep 13, 2015 9:58 pm

C is what I meant by self-signing. However, when I attempt to do it, taskgated still kills me because I don't have a provisioning profile. Why is it even required? I can't get a provisioning profile without a Developer Account, right?
Posts: 14
Joined: Sat Sep 12, 2015 5:43 pm

Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 2 guests