IOUserClient peer verification

Hi all,


I'm developing a kext/daemon pair. The kext is exposing some interface through IOUserClient and I want to restrict the client task in `::initWithTask` to only trusted task(s). Most likely only a single task.


Spent some time to figure out the best way, but still I'm not sure what't the simplest and most efficient way.


Client connects ideally only once - performance is not an issue. I was searching for something like client's code signature verification, bit I did not find anything.


The only option I see now is to use IOUserClinet::clientHasPrivilege combined with some security plugin - but this seems to be quite heavy to be honest.


Btw quite elegant solution would be if Apple allowed to define custom entitlements at ADC; checking entitlements is quite easy in IOUserClient subclasses.


So, do I miss something, any tips?


Many thanks


Pavel

Accepted Reply

I was searching for something like client's code signature verification, bit I did not find anything.

That’s correct; there is no code signing KPI.

The only option I see now is to use

IOUserClinet::clientHasPrivilege(…)
IOUserClinet::clientHasPrivilege(…)
is certainly an option, although it’s much less fine-grained than you were hoping for.

combined with some security plugin …

I’m not sure what you mean by this.

Btw quite elegant solution would be if Apple allowed to define custom entitlements …

Indeed. And this is how Apple code deals with this issue. However, there’s currently no infrastructure for supporting this for third parties, which puts you firmly in enhancement request territory.

Another potential ER, one that’s a little less infrastructure-heavy, would be a KPI to get code signing information (like the designated requirement) from the task; that would allow your user client to do authorisation based on that.

Or perhaps a KPI to evaluate a code signing requirement against a task.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

I was searching for something like client's code signature verification, bit I did not find anything.

That’s correct; there is no code signing KPI.

The only option I see now is to use

IOUserClinet::clientHasPrivilege(…)
IOUserClinet::clientHasPrivilege(…)
is certainly an option, although it’s much less fine-grained than you were hoping for.

combined with some security plugin …

I’m not sure what you mean by this.

Btw quite elegant solution would be if Apple allowed to define custom entitlements …

Indeed. And this is how Apple code deals with this issue. However, there’s currently no infrastructure for supporting this for third parties, which puts you firmly in enhancement request territory.

Another potential ER, one that’s a little less infrastructure-heavy, would be a KPI to get code signing information (like the designated requirement) from the task; that would allow your user client to do authorisation based on that.

Or perhaps a KPI to evaluate a code signing requirement against a task.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Have filed https://bugreport.apple.com/web/?problemID=45492462


Unfortunately the issue was closed refering the solution is exactly the same we discused as insufficient 😕

Unfortunately the issue was closed refering the solution is exactly the same we discused as insufficient

Indeed. You should push back on that by adding a comment to the bug explaining (yet again, sorry) why the current solutions are insufficient.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"