Hi all,
I'm developing a kext/daemon pair. The kext is exposing some interface through IOUserClient and I want to restrict the client task in `::initWithTask` to only trusted task(s). Most likely only a single task.
Spent some time to figure out the best way, but still I'm not sure what't the simplest and most efficient way.
Client connects ideally only once - performance is not an issue. I was searching for something like client's code signature verification, bit I did not find anything.
The only option I see now is to use IOUserClinet::clientHasPrivilege combined with some security plugin - but this seems to be quite heavy to be honest.
Btw quite elegant solution would be if Apple allowed to define custom entitlements at ADC; checking entitlements is quite easy in IOUserClient subclasses.
So, do I miss something, any tips?
Many thanks
Pavel