Restrict access to user space applications accessing a kernel extension

I have developed a kernel extension (KEXT) for driving SCSI devices and I am able to successfully use it to send commands to the underlying device. The driver class overrides the newUserClient method which gets called whenever IOServiceOpen is called from the user space so that apps can make use of the driver.

Is there any way to restrict access to this kernel extension such that only my app would be able to open a user client to access the driver and communicate with it using IOConnectCallMethod?

Up vote post of abishekmadhuv Down vote post of abishekmadhuv
640 views
Posted by
abishekmadhuv
Reply
Add a Comment

Replies

Is there any way to restrict access to this kernel extension such that only my app would be able to open a user client … ?

I think you can do this with entitlements. Specifically, your user client can call IOUserClient::copyClientEntitlement to get the value for an entitlement for the client process. There are two entitlements that you might check:

  • com.apple.developer.team-identifier

  • com.apple.application-identifier

Use the first to check for any code from your team, or the second to check for a specific App ID.

In both cases these are restricted entitlements, meaning that they must be authorised by a profile. Only your team can create a profile that includes your Team ID in the com.apple.developer.team-identifier entitlement allowlist. Likewise for com.apple.application-identifier, assuming that this specific App ID is allocated to your team.

For more on provisioning profiles, see TN3125 Inside Code Signing: Provisioning Profiles.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Thanks Quinn for the quick response. The target that I have for my project currently is a command line tool which I am planning to run as a daemon and so I am unable to add the provisioning profile for this. Should I be creating an app project as a wrapper for this so that I can achieve the same as mentioned here for restricted entitlements, [https://developer.apple.com/documentation/xcode/signing-a-daemon-with-a-restricted-entitlement]?)

Posted by
abishekmadhuv
Up vote reply of abishekmadhuv Down vote reply of abishekmadhuv
Add a Comment

The target that I have for my project currently is a command line tool which I am planning to run as a daemon and so I am unable to add the provisioning profile for this.

OK.

Should I be creating an app project as a wrapper for this so that I can achieve the same as mentioned here for restricted entitlements

That’s one way to do it.

In this case, however, you have the option of limiting your user client to programs running as root, using IOUserClient::clientHasAuthorization.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment