Dynamic SecCodeRef for currently running plug-ins

Question

Created Jun ’21

Replies 2

Boosts 0

Participants 2

Background: I am using Security.framework to verify the code signing requirements for incoming XPC connections (from listener: shouldAcceptNewConnection: in NSXPCListenerDelegate), as mentioned here:

https://developer.apple.com/forums/thread/72881

Problem: It is working well (for our normal processes), but not for when the XPC connection is coming from our Audio Server Plug-in. In this case, the main problem is that the SecCodeRef I'm getting is from the coreaudiod process, which is hosting the Audio Server Plug-In. I don't want coreaudiod's code-signing information; I want my plugin's code-signing information.

The current way I am getting the SecCodeRef is using the newConnection.processIdentifier, or the NSXPCConnection's audit token (if exposing the private API), but alas, those are for the hosting process and not my plugin.

Question: How do you get a dynamic SecCodeRef for a plugin and not the hosting process?

Possible Attempts: I have tried looking at the header file for SecCodeCopyGuestWithAttributes() and how the first argument, host, used as a starting point, as if you can nest and drill down, but I haven't gotten that to work.

I could probably get a SecStaticCodeRef ,for the binary on disk, but that is not the dynamic running code.

Boost

Answer 1

DTS Engineer OP

Apple

Jun ’21

How do you get a dynamic SecCodeRef for a plugin and not the hosting process?

This question doesn’t make sense given how code signing works in practice on our systems [1]. A dynamic code signing reference always applies to the whole process. Even if that weren’t the case, it wouldn’t buy you anything because there are no intra-process security boundaries. If a process loaded multiple plug-ins then there’s no way an XPC connection can distinguish between them.

If the code loading your plug-in is Apple code and you trust it to only load a single plug-in per process then it could provide a mechanism for you to ask it what plug-in was loaded in any given instance. I don’t know enough about the audio server architecture to say definitively that it has no mechanism for this but… well… it seems unlikely.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Code signing has the concept of a code signing host but that never went anywhere.

0

Answer 2

Jeffrey_B OP

Jun ’21

Thanks for your reply, eskimo. If the plugin architectures don't support identifying which plugin is loaded, I can definitely compensate with providing additional security in my XPC interfaces, but it would have been nice if such an API were available. I'll share if I find anything.

0