Re: Current active login session
Re: Current active login session
- Subject: Re: Current active login session
- From: "Quinn \"The Eskimo!\"" <email@hidden>
- Date: Mon, 23 Aug 2010 10:11:33 +0100
On 20 Aug 2010, at 14:34, Antoine Missout wrote:
> We police network connection in a similar manner to Little Snitch. Network connections can be either denied, allowed, or up to the user to decide in an interactive manner.
Ultimately this boils down to a question of trust. You want to be able to trust that the actual user, not some bogus software running inside the user's context, is answering your questions. This presents a real difficulty:
o only user-level software is allowed to talk to the GUI
o user-level software can be subverted
You can resolve this paradox using the Authorization Services API. This allows your daemon to request authorisation for some operation ("allow this TCP connection?", for example) and have the UI that asks that question run in a trusted GUI environment that's not under the control of the user (the SecurityAgent process). The mechanics of making this work are going to be a little tricky. You will almost certainly need an authorisation plug-in to run your GUI. You're also going to need something in the user's context that checks in and out with your daemon.
S+E
--
Quinn "The Eskimo!" <http://www.apple.com/developer/>
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden