Page 1 of 1

Cannot run execve on files that are blocked to amfid

PostPosted: Wed Oct 18, 2017 7:41 am
by adam81
I wanted to use Kauth in order to block some files from being accessed by no other processes except mine.

However, it seems like there's a unwanted side effect to this request since I also block the file from `/usr/libexec/amfid` (The mobile file integrity daemon, funny it's also existed in macOS).

does my assumption right ? does any mach-o file need to be accessed by amfid for inspection prior to execution ?

Re: Cannot run execve on files that are blocked to amfid

PostPosted: Wed Oct 18, 2017 9:58 am
by morpheus
Third party signed binaries (i.e. not ad-hoc) MUST go through AMFId because AMFI.kext detects a signature and realizes there's no adhoc flag. For lack of PKI verification in kernel (and other requirements such as expiration, revocation ,etc), it calls up to amfid.