Hi,
As suggested in the previous post, I want to check the code signature to prevent my XPC service in the Network Extension from unauthorized access, but my signature checking doesn't work in a sandboxed network extension.
Here is the minimal working example, which checks if the code itself has a trusted signature:
- (void)test {
OSStatus ret;
SecCodeRef mycode = NULL;
SecRequirementRef myreq = NULL;
CFErrorRef myerr = NULL;
do {
ret = SecRequirementCreateWithString(CFSTR("anchor trusted"), kSecCSDefaultFlags, &myreq);
if (ret != errSecSuccess)
break;
ret = SecCodeCopySelf(kSecCSDefaultFlags, &mycode);
if (ret != errSecSuccess)
break;
NSLog(@"validate start");
ret = SecCodeCheckValidityWithErrors(mycode, kSecCSDefaultFlags, myreq, &myerr);
NSLog(@"validate return=%d err=%@", ret, myerr);
} while ((0));
if (myerr) {
CFRelease(myerr);
}
if (myreq) {
CFRelease(myreq);
}
if (mycode) {
CFRelease(mycode);
}
}
This snippet works in sandboxed app and UN-sandboxed network extension. In a sandboxed network extension, however, it outputs validate return=-2147416000 err=Error Domain=NSOSStatusErrorDomain Code=-2147416000 "(null)" (CSSMERR_CSP_INVALID_CONTEXT_HANDLE)
After digging into the logs from system frameworks, I find following two lines by which I believe the error is related to sandboxing.
<Security`Security::MDSSession::LockHelper::obtainLock(char const*, int)> com.mycompany: (Security) [com.apple.securityd:mdslock] obtainLock: calling open(/private/var/db/mds/system/mds.lock)
<Security`Security::MDSSession::LockHelper::obtainLock(char const*, int)> com.mycompany: (Security) [com.apple.securityd:mdslock] obtainLock: open error 1
Is this a limitation in macOS system or I have to adjust my code for the sandbox in network extension?
Thanks in advance.