It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.
Is there a replacement technology which we can use similar to mac_policy_register and mac_policy_unregister?
Accepted Reply
It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.
Indeed. The kernel MAC framework has never been a supported KPI, something I documented in QA1574 Kernel's MAC framework. In the 10.13 SDK we finally got around to changing the headers (r. 5645458)) to reflect that reality.
btw In future you can check whether a KPI is supported or not using the process described in QA1575 Supported KPIs.
Is there a replacement technology which we can use similar to
andmac_policy_register
?mac_policy_unregister
Probably not )-: What are you doing in your MAC policy?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Replies
It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.
Indeed. The kernel MAC framework has never been a supported KPI, something I documented in QA1574 Kernel's MAC framework. In the 10.13 SDK we finally got around to changing the headers (r. 5645458)) to reflect that reality.
btw In future you can check whether a KPI is supported or not using the process described in QA1575 Supported KPIs.
Is there a replacement technology which we can use similar to
andmac_policy_register
?mac_policy_unregister
Probably not )-: What are you doing in your MAC policy?
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
I kept googling and found your old post on the old lists about that.
Looks like kauth is my option.
> Probably not )-: What are you doing in your MAC policy
In my case I was hoping to use KAUTH_PROCESS_CANSIGNAL to prevent 'unwanted' processes from signalling my security-related daemons, but it seems that has (still) never been implemented. So mpo_proc_check_signal seems the only way to go, unless I've missed another route.
In my case I was hoping to use
to prevent ‘unwanted’ processes from signalling my security-related daemons, but it seems that has (still) never been implemented.KAUTH_PROCESS_CANSIGNAL
Indeed. The bug I filed about that (r. 3931697) just got returned to me as “not to be fixed” )-:
So
seems the only way to go, unless I've missed another route.mpo_proc_check_signal
I don’t consider this a “way to go”, given that this is not KPI.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"