Page 1 of 1

how to enforce the entitlement to process via IPC

PostPosted: Tue Sep 12, 2017 11:29 am
by coreAV
in the page 76 of *OS Internals , it says high privileged process can enforce entitlement to low privileged process .
I have no idea about this .maybe by IPC , pass some token , like extension?
Thx for your answers

Re: how to enforce the entitlement to process via IPC

PostPosted: Wed Sep 13, 2017 4:09 am
by backendbilly
Which version of the book are you referring to? I checked v1.3.1 (latest as far as I know) and can't find what you're referring to. If I understand it correctly and someone else can correct if necessary, it means that a process with higher privileges (such as securityd for example) checks for entitlements of the calling process that requires a service. For example securityd checks for the necessary entitlements to access the keychain for example.

Re: how to enforce the entitlement to process via IPC

PostPosted: Wed Sep 13, 2017 5:55 am
by coreAV
thanks for your answer!
maybe its my bad to describe my question.
for example, we can find some entitlement restriction in sandbox profiles, such as :
(entitlement-load "com.apple.xxx")
the weird thing is the binary associated the profile doesn't hold this entitlement ,so I guess maybe enforce this entitlement at runtime.
But I dont know the detail of this

Re: how to enforce the entitlement to process via IPC

PostPosted: Wed Sep 13, 2017 2:04 pm
by morpheus
The entitlement enforcement is up to the provider of the service to do. You can do so in one of several ways:


- If you're an XPC server, xpc_copy_entitlement_for_[token/pid] will get you the entitlement dictionary. You then load into a dictionary type and check if the entitlement is included
- Lower level, csops( CS_OPS_ENTITLEMENTS_BLOB = 7) gets you the entitlements dictionary as well.

There are numerous other wrappers , but either of these work well.

The PROBLEM, however, is that AAPL won't allow arbitrary entitlements when they apply the App Store code signature or when you use a provisioning profile. So usage of this might be limited. But you can use this to verify Apple entitled processes.