Where are "mach-lookup" sandbox checks enforced?

Questions and Answers about all things *OS (macOS, iOS, tvOS, watchOS)

Where are "mach-lookup" sandbox checks enforced?

Postby ccnut » Thu Jan 30, 2020 6:17 pm

I know the services will be "opt-in" rules, but how are these defined? Is every known mach-service given an entry in the sandbox profile?
ccnut
 
Posts: 11
Joined: Fri Mar 15, 2019 5:11 pm

Re: Where are "mach-lookup" sandbox checks enforced?

Postby morpheus » Wed Feb 05, 2020 2:24 pm

A) launchd.

Code: Select all
morpheus@Bifröst (~/Documents/OSXBook/2nd/src/xnoop) %jtool2 -d /Volumes/YukonB17B84.D421D431OS/sbin/launchd| grep sandbox_check | grep -B 1 mach-loo
Disassembling 218132 bytes from address 0x1000027e4 (offset 0x27e4):
10000f948   0x9400a534  BL       0x100038e18               _sandbox_check_by_audit_token
   _sandbox_check_by_audit_token(0xffffffffffffffd0,"mach-lookup",0x2);
--
10000f98c   0x9400a523  BL       0x100038e18               _sandbox_check_by_audit_token
   _sandbox_check_by_audit_token(0xffffffffffffffd0,"mach-lookup",0x3);
--
10000f9d0   0x9400a512  BL       0x100038e18               _sandbox_check_by_audit_token
   _sandbox_check_by_audit_token(0xffffffffffffffd0,"mach-lookup",0xc);


B) Check the many profiles in /usr/share/sandbox and /System/Library/Sandbox/Profiles. In *OS these are compiled into the kext
morpheus
Site Admin
 
Posts: 737
Joined: Thu Apr 11, 2013 6:24 pm


Return to Questions and Answers

Who is online

Users browsing this forum: No registered users and 4 guests

cron