Re: task_for_pid fails with os/kern failure even with system.privilege.taskport
Re: task_for_pid fails with os/kern failure even with system.privilege.taskport
- Subject: Re: task_for_pid fails with os/kern failure even with system.privilege.taskport
- From: Jean-Daniel Dupas <email@hidden>
- Date: Thu, 13 Oct 2011 10:23:44 +0200
Not true. It's perfectly possible to use a self signed cert, as long as it is properly installed.
I'm using custom lldb build that required to be signed to works, and didn't have issue with a self signed cert.
The instruction to sign lldb are available here. The interesting section is the one that start with:
«The next steps are necessary on SnowLeopard, but are probably because of a bug
how Keychain Access makes certificates.
[Note: These also apply for Lion.]»
https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt
You may have a look at what it does, and
Le 12 oct. 2011 à 21:00, Brian Bergstrand a écrit :
> IIRC, a self-signed cert is not acceptable. The same is true for persistent Keychain Access. You must sign with a cert that was created by a system-recognized CA.
>
> On Oct 12, 2011, at 11:33 AM, Ben Staveley-Taylor wrote:
>
>> I'm trying to use the task_for_pid() mach call. I've found several list posts and other items about the security requirements for this from 10.5 onwards and I believe I'm complying, but I just can't get it to work. Can anyone spot what I'm doing wrong?
>>
>> Setup:
>> ------
>>
>> - Running on OS X 10.7.1
>> - I created a new Cocoa application with the code snippets shown below.
>> - Info.plist contains:
>> <key>SecTaskAccess</key>
>> <array>
>> <string>allowed</string>
>> <string>safe</string>
>> </array>
>> - The app is codesigned using a self-signed certificate.
>>
>> Behaviour:
>> ----------
>>
>> - If I sudo-run the app's executable in Terminal (i.e. Test.app/Contents/MacOS/test) directly, it works
>> - If I do the same without sudo, I get the output:
>> system.privilege.taskport acquired
>> com.apple.TextEdit pid is 2475
>> Failed; machErr=(os/kern) failure (5)
>>
>> - If I run the .app bundle by double-clicking in Finder, or in Terminal using "open Test.app" or "sudo open Test.app" it also fails in the same way.
>>
>> So in the failure cases I'm told that I do have system.privilege.taskport rights, but task_for_pid() then fails. What vital step am I missing?
>>
>> Many thanks if you can help,
>>
>> Ben Staveley-Taylor
>> email@hidden
>>
>>
>>
>>
>> Code:
>> -----
>>
>> ProcessSerialNumber psn;
>>
>> // Get pid of TextEdit, assuming it is running
>> NSString *targetProcessBundle = @"com.apple.TextEdit";
>> if (FindPSNForBundleID(targetProcessBundle, &psn) == noErr) {
>>
>> // I don't think this should be necessary, but done for verification
>> OSStatus osErr = AcquireTaskportRight();
>>
>> if (osErr == noErr)
>> {
>> // Convert PSN to PID.
>> pid_t pid;
>> GetProcessPID( &psn, &pid );
>> NSLog(@"%@ pid is %d", targetProcessBundle, pid);
>>
>> mach_port_t remoteTask = 0;
>> mach_error_t machErr = task_for_pid( mach_task_self(), pid, &remoteTask );
>>
>> if (machErr == 0) {
>> NSLog(@"Success");
>> }
>> else {
>> const char *msg = mach_error_string(machErr);
>> NSLog(@"Failed; machErr=%s (%d)", msg, (int)machErr);
>> }
>> }
>> }
>>
>>
>>
>>
>> OSStatus AcquireTaskportRight() {
>>
>> OSStatus stat = noErr;
>> AuthorizationItem taskport_item[] = {
>> {"system.privilege.taskport"},0,0,0
>> };
>> AuthorizationRights rights = {1, taskport_item}, *out_rights = NULL;
>> AuthorizationRef authRef;
>> AuthorizationFlags auth_flags = kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize;
>>
>> stat = AuthorizationCreate (NULL, kAuthorizationEmptyEnvironment, auth_flags, &authRef);
>>
>> if (stat == errAuthorizationSuccess) {
>> stat = AuthorizationCopyRights ( authRef, &rights, kAuthorizationEmptyEnvironment, auth_flags, &out_rights);
>> }
>>
>> if (stat == errAuthorizationSuccess) {
>> NSLog(@"system.privilege.taskport acquired");
>> }
>> else {
>> NSLog(@"Failed to acquire system.privilege.taskport right. Error: %d", (int)stat);
>> }
>>
>> return stat;
>> }
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Darwin-dev mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
-- Jean-Daniel
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden