If I allow such an event in the ES handler, does this decision override the default handling of this event that would have otherwise denied this request? My guess is no, but want to confirm.
Examples:
Target app is runtime-hardened. Another app tries to get the task-port by doing task_for_pid() on the target app. This should result in ES_EVENT_TYPE_AUTH_GET_TASK event, event-handler allows it.
A file is readable only by root, and a non-root process attempts to read it. This should result in ES_EVENT_TYPE_AUTH_OPEN event sent to the ES handler. Handler allows this to proceed.
An executable is marked to be launched only by root (the file is owned by root, and the 'x' bit is set only for owner), and a non-root process attempts to launch it. This should result in ES_EVENT_TYPE_AUTH_EXEC event, event-handler allows it.
No. An ES client can only tighten security.If I allow such an event in the ES handler, does this decision override the default handling of this event that would have otherwise denied this request?
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"