938 Views 4 Replies
      Latest reply on Apr 16, 2019 1:35 AM by eskimo
      joconnor Level 1 Level 1 (0 points)
      joconnor Oct 29, 2018 10:41 PM

        It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.

        Is there a replacement technology which we can use similar to mac_policy_register and mac_policy_unregister?

        • Tags:
        • Re: What is the replacement to TrustedBSD?
          eskimo Apple Staff Apple Staff (11,955 points)
          eskimo Oct 30, 2018 2:41 AM (in response to joconnor)

          It appears that the headers for Trusted BSD have been removed in High Sierra/Xcode 9 and up.

          Indeed.  The kernel MAC framework has never been a supported KPI, something I documented in QA1574 Kernel's MAC framework.  In the 10.13 SDK we finally got around to changing the headers (r. 5645458)) to reflect that reality.

          btw In future you can check whether a KPI is supported or not using the process described in QA1575 Supported KPIs.

          Is there a replacement technology which we can use similar to mac_policy_register and mac_policy_unregister?

          Probably not )-:  What are you doing in your MAC policy?

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

            • Re: What is the replacement to TrustedBSD?
              joconnor Level 1 Level 1 (0 points)
              joconnor Oct 30, 2018 10:29 AM (in response to eskimo)

              I kept googling and found your old post on the old lists about that.

              Looks like kauth is my option.


              • Re: What is the replacement to TrustedBSD?
                Wellington Level 1 Level 1 (0 points)
                Wellington Apr 15, 2019 2:12 AM (in response to eskimo)

                > Probably not )-:  What are you doing in your MAC policy

                 

                In my case I was hoping to use KAUTH_PROCESS_CANSIGNAL to prevent 'unwanted' processes from signalling my security-related daemons, but it seems that has (still) never been implemented. So mpo_proc_check_signal seems the only way to go, unless I've missed another route.

                  • Re: What is the replacement to TrustedBSD?
                    eskimo Apple Staff Apple Staff (11,955 points)
                    eskimo Apr 16, 2019 1:35 AM (in response to Wellington)

                    In my case I was hoping to use KAUTH_PROCESS_CANSIGNAL to prevent ‘unwanted’ processes from signalling my security-related daemons, but it seems that has (still) never been implemented.

                    Indeed.  The bug I filed about that (r. 3931697) just got returned to me as “not to be fixed” )-:

                    So mpo_proc_check_signal seems the only way to go, unless I've missed another route.

                    I don’t consider this a “way to go”, given that this is not KPI.

                    Share and Enjoy

                    Quinn “The Eskimo!”
                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                    let myEmail = "eskimo" + "1" + "@apple.com"