Local socket connection verification

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Local socket connection verification

Postby TheDarkKnight » Mon May 21, 2018 4:35 pm

Is it possible for a local socket (server) to verify connections made to it?
If a daemon process creates a local socket for a user application to connect, we'd like to know the pid of the connecting process, in order to verify the application's certificate.

On Linux, there's SO_PEERCRED, so calling getsockopt with this will return a ucred structure that contains the pid. However, the ucred structure under macOS (sys/ucred.h) doesn't include the pid.

Is it possible to retrieve a connecting process's pid from a local socket connection and if so, how?

Thanks ;O)
TheDarkKnight
 
Posts: 34
Joined: Wed Dec 16, 2015 10:30 am

Re: Local socket connection verification

Postby morpheus » Mon May 21, 2018 6:22 pm

As far as I know, you can't get the PID. It makes sense, because Apple deprecates local sockets in favor of XPC, wherein the audit tokens get you pid, uid, and (indirectly) caller entitlements.

As a workaround, if you are root, you can use com.apple.netsrc to get the socket connections (as demonstrated in lsock). Another (better) workaround is doing what procexp does, which is calling proc_info (sys call #336) and examining sinfo->soi_proto.pri_un.unsi_conn_so (giving you the remote, including PID) where sinfo is the struct socket_fdinfo 'psi' field (q.v. <sys/proc_info.h>. You don't need root for that if you're calling on your own socket fds. Try "procexp ... fds" to see what I mean

morpheus@Zephyr (~/Documents/Work/ProcExp) %sudo procexp 1 fds | grep -- '->'
launchd 1 FD 6u socket dgram 21aa980d46aceb1f->21aa980d46aceed7 syslogd (PID: 42) client: /private//var/run/syslog
morpheus
Site Admin
 
Posts: 660
Joined: Thu Apr 11, 2013 6:24 pm

Re: Local socket connection verification

Postby TheDarkKnight » Tue May 22, 2018 8:47 am

Thanks J, that's great.
I like XPC, but it doesn't help when you want to develop cross-platform code ;O)
TheDarkKnight
 
Posts: 34
Joined: Wed Dec 16, 2015 10:30 am

Re: Local socket connection verification

Postby TheDarkKnight » Tue May 22, 2018 3:56 pm

"examining sinfo->soi_proto.pri_un.unsi_conn_so (giving you the remote, including PID"


Code: Select all
struct un_sockinfo {
               uint64_t   unsi_conn_so;   /* opaque handle of connected socket */
                ...
}


Sorry if I'm missing the obvious, but how can this handle be used to resolve the pid?
TheDarkKnight
 
Posts: 34
Joined: Wed Dec 16, 2015 10:30 am

Re: Local socket connection verification

Postby b3ntx » Wed May 23, 2018 6:24 pm

proc_info takes a pid as an argument so you could presumably (expensively) iterate pids until you see a matching obfuscated socket* address.
b3ntx
 
Posts: 11
Joined: Wed Dec 16, 2015 1:26 pm

Re: Local socket connection verification

Postby morpheus » Thu May 24, 2018 2:07 pm

Precisely. This is what procexp does. I iterate over all processes anyway, get all their descriptors, then work backwards from there.

If you wait a bit longer , a full featured /proc is coming to MacOS along with Volume II :-)
morpheus
Site Admin
 
Posts: 660
Joined: Thu Apr 11, 2013 6:24 pm

Re: Local socket connection verification

Postby TheDarkKnight » Thu May 24, 2018 3:26 pm

Thanks @b3ntx and @morpheus.

If you wait a bit longer , a full featured /proc is coming to MacOS along with Volume II


Fingers crossed, in time for Sweden ;O)
TheDarkKnight
 
Posts: 34
Joined: Wed Dec 16, 2015 10:30 am


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 3 guests