Re: task_for_pid fails with os/kern failure even with system.privilege.taskport
Re: task_for_pid fails with os/kern failure even with system.privilege.taskport
- Subject: Re: task_for_pid fails with os/kern failure even with system.privilege.taskport
- From: Jean-Daniel Dupas <email@hidden>
- Date: Thu, 13 Oct 2011 10:28:49 +0200
As a side note, IIRC, the "safe" key is reserved by Apple and required the binary to be signed by an Apple certificate.
Le 13 oct. 2011 à 10:23, Jean-Daniel Dupas a écrit :
> Not true. It's perfectly possible to use a self signed cert, as long as it is properly installed.
>
> I'm using custom lldb build that required to be signed to works, and didn't have issue with a self signed cert.
>
> The instruction to sign lldb are available here. The interesting section is the one that start with:
>
> «The next steps are necessary on SnowLeopard, but are probably because of a bug
> how Keychain Access makes certificates.
> [Note: These also apply for Lion.]»
>
>
>
>
> https://llvm.org/svn/llvm-project/lldb/trunk/docs/code-signing.txt
>
> You may have a look at what it does, and
> Le 12 oct. 2011 à 21:00, Brian Bergstrand a écrit :
>
>> IIRC, a self-signed cert is not acceptable. The same is true for persistent Keychain Access. You must sign with a cert that was created by a system-recognized CA.
>>
>> On Oct 12, 2011, at 11:33 AM, Ben Staveley-Taylor wrote:
>>
>>> I'm trying to use the task_for_pid() mach call. I've found several list posts and other items about the security requirements for this from 10.5 onwards and I believe I'm complying, but I just can't get it to work. Can anyone spot what I'm doing wrong?
>>>
>>> Setup:
>>> ------
>>>
>>> - Running on OS X 10.7.1
>>> - I created a new Cocoa application with the code snippets shown below.
>>> - Info.plist contains:
>>> <key>SecTaskAccess</key>
>>> <array>
>>> <string>allowed</string>
>>> <string>safe</string>
>>> </array>
>>> - The app is codesigned using a self-signed certificate.
>>>
>>> Behaviour:
>>> ----------
>>>
>>> - If I sudo-run the app's executable in Terminal (i.e. Test.app/Contents/MacOS/test) directly, it works
>>> - If I do the same without sudo, I get the output:
>>> system.privilege.taskport acquired
>>> com.apple.TextEdit pid is 2475
>>> Failed; machErr=(os/kern) failure (5)
>>>
>>> - If I run the .app bundle by double-clicking in Finder, or in Terminal using "open Test.app" or "sudo open Test.app" it also fails in the same way.
>>>
>>> So in the failure cases I'm told that I do have system.privilege.taskport rights, but task_for_pid() then fails. What vital step am I missing?
>>>
>>> Many thanks if you can help,
>>>
>>> Ben Staveley-Taylor
>>> email@hidden
>>>
>>>
>>>
>>>
>>> Code:
>>> -----
>>>
>>> ProcessSerialNumber psn;
>>>
>>> // Get pid of TextEdit, assuming it is running
>>> NSString *targetProcessBundle = @"com.apple.TextEdit";
>>> if (FindPSNForBundleID(targetProcessBundle, &psn) == noErr) {
>>>
>>> // I don't think this should be necessary, but done for verification
>>> OSStatus osErr = AcquireTaskportRight();
>>>
>>> if (osErr == noErr)
>>> {
>>> // Convert PSN to PID.
>>> pid_t pid;
>>> GetProcessPID( &psn, &pid );
>>> NSLog(@"%@ pid is %d", targetProcessBundle, pid);
>>>
>>> mach_port_t remoteTask = 0;
>>> mach_error_t machErr = task_for_pid( mach_task_self(), pid, &remoteTask );
>>>
>>> if (machErr == 0) {
>>> NSLog(@"Success");
>>> }
>>> else {
>>> const char *msg = mach_error_string(machErr);
>>> NSLog(@"Failed; machErr=%s (%d)", msg, (int)machErr);
>>> }
>>> }
>>> }
>>>
>>>
>>>
>>>
>>> OSStatus AcquireTaskportRight() {
>>>
>>> OSStatus stat = noErr;
>>> AuthorizationItem taskport_item[] = {
>>> {"system.privilege.taskport"},0,0,0
>>> };
>>> AuthorizationRights rights = {1, taskport_item}, *out_rights = NULL;
>>> AuthorizationRef authRef;
>>> AuthorizationFlags auth_flags = kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize;
>>>
>>> stat = AuthorizationCreate (NULL, kAuthorizationEmptyEnvironment, auth_flags, &authRef);
>>>
>>> if (stat == errAuthorizationSuccess) {
>>> stat = AuthorizationCopyRights ( authRef, &rights, kAuthorizationEmptyEnvironment, auth_flags, &out_rights);
>>> }
>>>
>>> if (stat == errAuthorizationSuccess) {
>>> NSLog(@"system.privilege.taskport acquired");
>>> }
>>> else {
>>> NSLog(@"Failed to acquire system.privilege.taskport right. Error: %d", (int)stat);
>>> }
>>>
>>> return stat;
>>> }
>>>
>>> _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Darwin-dev mailing list (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>> _______________________________________________
>> Do not post admin requests to the list. They will be ignored.
>> Darwin-dev mailing list (email@hidden)
>> Help/Unsubscribe/Update your Subscription:
>>
>> This email sent to email@hidden
>
> -- Jean-Daniel
>
>
>
>
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Darwin-dev mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
-- Jean-Daniel
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden