What is the replacement to TrustedBSD?

It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.
Is there a replacement technology which we can use similar to mac_policy_register and mac_policy_unregister?

Accepted Reply

It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.

Indeed. The kernel MAC framework has never been a supported KPI, something I documented in QA1574 Kernel's MAC framework. In the 10.13 SDK we finally got around to changing the headers (r. 5645458)) to reflect that reality.

btw In future you can check whether a KPI is supported or not using the process described in QA1575 Supported KPIs.

Is there a replacement technology which we can use similar to

mac_policy_register
and
mac_policy_unregister
?

Probably not )-: What are you doing in your MAC policy?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.

Indeed. The kernel MAC framework has never been a supported KPI, something I documented in QA1574 Kernel's MAC framework. In the 10.13 SDK we finally got around to changing the headers (r. 5645458)) to reflect that reality.

btw In future you can check whether a KPI is supported or not using the process described in QA1575 Supported KPIs.

Is there a replacement technology which we can use similar to

mac_policy_register
and
mac_policy_unregister
?

Probably not )-: What are you doing in your MAC policy?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

I kept googling and found your old post on the old lists about that.
Looks like kauth is my option.

> Probably not )-: What are you doing in your MAC policy


In my case I was hoping to use KAUTH_PROCESS_CANSIGNAL to prevent 'unwanted' processes from signalling my security-related daemons, but it seems that has (still) never been implemented. So mpo_proc_check_signal seems the only way to go, unless I've missed another route.

In my case I was hoping to use

KAUTH_PROCESS_CANSIGNAL
to prevent ‘unwanted’ processes from signalling my security-related daemons, but it seems that has (still) never been implemented.

Indeed. The bug I filed about that (r. 3931697) just got returned to me as “not to be fixed” )-:

So

mpo_proc_check_signal
seems the only way to go, unless I've missed another route.

I don’t consider this a “way to go”, given that this is not KPI.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"