Restrict access to user space applications accessing a kernel extension

Question

Created Aug ’23

Replies 3

Boosts 1

Participants 2

I have developed a kernel extension (KEXT) for driving SCSI devices and I am able to successfully use it to send commands to the underlying device. The driver class overrides the newUserClient method which gets called whenever IOServiceOpen is called from the user space so that apps can make use of the driver.

Is there any way to restrict access to this kernel extension such that only my app would be able to open a user client to access the driver and communicate with it using IOConnectCallMethod?

Answered by ForumsContributor in

Boost

Answer 1

DTS Engineer OP

Apple

Aug ’23

Accepted Answer

Is there any way to restrict access to this kernel extension such that only my app would be able to open a user client … ?

I think you can do this with entitlements. Specifically, your user client can call IOUserClient::copyClientEntitlement to get the value for an entitlement for the client process. There are two entitlements that you might check:

com.apple.developer.team-identifier
com.apple.application-identifier

Use the first to check for any code from your team, or the second to check for a specific App ID.

In both cases these are restricted entitlements, meaning that they must be authorised by a profile. Only your team can create a profile that includes your Team ID in the com.apple.developer.team-identifier entitlement allowlist. Likewise for com.apple.application-identifier, assuming that this specific App ID is allocated to your team.

For more on provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

1

Answer 2

abishekmadhuv OP

Aug ’23

Thanks Quinn for the quick response. The target that I have for my project currently is a command line tool which I am planning to run as a daemon and so I am unable to add the provisioning profile for this. Should I be creating an app project as a wrapper for this so that I can achieve the same as mentioned here for restricted entitlements, [https://developer.apple.com/documentation/xcode/signing-a-daemon-with-a-restricted-entitlement]?)

0

Answer 3

DTS Engineer OP

Apple

Aug ’23

The target that I have for my project currently is a command line tool which I am planning to run as a daemon and so I am unable to add the provisioning profile for this.

OK.

Should I be creating an app project as a wrapper for this so that I can achieve the same as mentioned here for restricted entitlements

That’s one way to do it.

In this case, however, you have the option of limiting your user client to programs running as root, using IOUserClient::clientHasAuthorization.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0