Our application/component basically provides user control to block/allow applications in Mac OS X. It has following features
i) Create a rule to Allow/block 'launch' of different applications by creating a rule.
ii) Create a rule to Allow/block network access to an application.
Our application has a kext 'App.kext' which registers for 'KAUTH_SCOPE_VNODE' and 'KAUTH_SCOPE_FILEOP' operations.
'App.kext' handles KAUTH_VNODE_EXECUTE action for every process and sends it to userland (appd daemon) to decide whether to allow its launch or not (based on 'rules' added by user)
'App.kext' also handles KAUTH_FILEOP_CLOSE/KAUTH_FILEOP_EXCHANGE/KAUTH_FILEOP_RENAME actions.
When 'xpcproxy' binary is executed/launched, 'App.kext' blocks it and sends its 'process information’ to it's userland counterpart 'appd'.
As ‘Appd’ allows 'apple signed' binaries to launch (irrespective or rules added by user) we check whether the ‘binary’ is apple signed or not.
We are using security framework provided by apple to check for ‘apple signing’ of binary. Following API doesn't return when we use it for 'xpcproxy' binary (xpcproxy process is still blocked by App.kext as it is waiting for 'appd daemon process for its response whether to block/allow it) and system goes unresponsive.
SecStaticCodeCheckValidity(code, kSecCSDefaultFlags,
appleAncorReq );
Step Followed for debugging Issue:
To debug the scenario, I tried remote debugging (using two machines) with both machines installed YOSEMITE (dev preview 5).
Installed command line tools (released on 4th august) from apple developer account.
Added nvram boot-args as following in target machine and rebooted it (Also added in host machine)
boot-args="debug=0x146 kext-dev-mode=1 kdp_match_name=firewire fwkdp=0x8000"
Both machines connected using 'firewire cable 800'. Host machine using 'Thunderbolt to firewire adapter' and target machine has a firewire port. In network preferences both machines shows firewire connected (with self-assigned IP’s).
On the Host machine I ran 'fwkdp' then tried following steps.
i) Downloaded latest kernel debug kit (released on 4th August for YOSEMITE)
ii) cd /Volumes/KernelDebugKit
iv) lldb /Volumes/KernelDebugKit/kernel
v) (lldb) target create --arch x86_64 kernel // Tried With or without this command.
vi) (lldb) platform select remote-macosx // Tried with or without this command
On the target machine I forced a panic/sent NMI (non maskable interrupt).
on Host machine I tried following commands to remotely connect to debug the target machine but it fails. I tried it before/after the target machine panic but it always fails.
(lldb) kdp-remote localhost
error: KDP_REATTACH failed
I also tried IP of the target machine/1.2.3.4 etc. with different combinations but unable to connect to target machine.
Could Anyone help me in identifying the reason for code-sign API to hang for '/usr/libexec/xpcproxy' binary while 'xpcproxy' process is blocked.
I would also like to know the steps to remotely debug the target machine kernel.
Host Machine info =>
MAC OS X YOSEMITE (10.10 Dev Seed 5)
MacBook Pro (Retina, 13-inch, Late 2013)
Processor 2.4 GHz Intel Core i5
Memory 8 GB 1600 MHz DDR3
Graphics Intel Iris 1536 MB
Target machine info => (panic machine)
MAC OS X YOSEMITE (10.10 dev seed 5)
MacBook Pro (13 inch, Mid 2009)
Processor 2.26 GHz Intel Core 2 Duo
Memory 8 GB 1067 MHz DDR3
Graphics NVIDIA GeForce 9400M 256 MB