how to enforce the entitlement to process via IPC

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

how to enforce the entitlement to process via IPC

Postby coreAV » Tue Sep 12, 2017 11:29 am

in the page 76 of *OS Internals , it says high privileged process can enforce entitlement to low privileged process .
I have no idea about this .maybe by IPC , pass some token , like extension?
Thx for your answers
coreAV
 
Posts: 6
Joined: Thu May 05, 2016 10:22 am

Re: how to enforce the entitlement to process via IPC

Postby backendbilly » Wed Sep 13, 2017 4:09 am

Which version of the book are you referring to? I checked v1.3.1 (latest as far as I know) and can't find what you're referring to. If I understand it correctly and someone else can correct if necessary, it means that a process with higher privileges (such as securityd for example) checks for entitlements of the calling process that requires a service. For example securityd checks for the necessary entitlements to access the keychain for example.
backendbilly
Site Admin
 
Posts: 132
Joined: Fri May 29, 2015 5:58 pm

Re: how to enforce the entitlement to process via IPC

Postby coreAV » Wed Sep 13, 2017 5:55 am

thanks for your answer!
maybe its my bad to describe my question.
for example, we can find some entitlement restriction in sandbox profiles, such as :
(entitlement-load "com.apple.xxx")
the weird thing is the binary associated the profile doesn't hold this entitlement ,so I guess maybe enforce this entitlement at runtime.
But I dont know the detail of this
coreAV
 
Posts: 6
Joined: Thu May 05, 2016 10:22 am

Re: how to enforce the entitlement to process via IPC

Postby morpheus » Wed Sep 13, 2017 2:04 pm

The entitlement enforcement is up to the provider of the service to do. You can do so in one of several ways:


- If you're an XPC server, xpc_copy_entitlement_for_[token/pid] will get you the entitlement dictionary. You then load into a dictionary type and check if the entitlement is included
- Lower level, csops( CS_OPS_ENTITLEMENTS_BLOB = 7) gets you the entitlements dictionary as well.

There are numerous other wrappers , but either of these work well.

The PROBLEM, however, is that AAPL won't allow arbitrary entitlements when they apply the App Store code signature or when you use a provisioning profile. So usage of this might be limited. But you can use this to verify Apple entitled processes.
morpheus
Site Admin
 
Posts: 532
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests