site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=classicalguitar.net; h= subject:mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; s= classicalguitar.net; bh=rKRJIECSDkogwj2asIQIZFqXA6s=; b=KS/dkXH+ 1oov80MXy/N9Ye+Yrxz4TS/jJ5Z+9zLVzyqjxKY1RU4fqH+vaOkzH4/zqeE40Qqj 7tJUrYlJCe3NImFxK9sxSNZ3DisFQbeEj/uQp8lZ1DPcwA1HoKzMXATBWqcsDlnD sTWaJagLGJ9q/TOiTs0yS9ExuavBPtkO3ms= Domainkey-signature: a=rsa-sha1; c=nofws; d=classicalguitar.net; h=subject :mime-version:content-type:from:in-reply-to:date:cc :content-transfer-encoding:message-id:references:to; q=dns; s= classicalguitar.net; b=Go7y/9/U776lv0MDlJpfDKmkkMxZ0oxCyDPwizKfV DOli7lG6fWhPjoFvKon31T/IMeoMLdgCQ8queYGpGgylr2HEhVb7CXp2NOkkj1Fr y/c/2bqpVHKj6u5MSdzprG71cmk917c4FGf/W/ScMvT6edxTrbkY9/dK5gZBoV1j 5o= IIRC, a self-signed cert is not acceptable. The same is true for persistent Keychain Access. You must sign with a cert that was created by a system-recognized CA. On Oct 12, 2011, at 11:33 AM, Ben Staveley-Taylor wrote:

I'm trying to use the task_for_pid() mach call. I've found several list posts and other items about the security requirements for this from 10.5 onwards and I believe I'm complying, but I just can't get it to work. Can anyone spot what I'm doing wrong?

Setup: ------

- Running on OS X 10.7.1 - I created a new Cocoa application with the code snippets shown below. - Info.plist contains: <key>SecTaskAccess</key> <array> <string>allowed</string> <string>safe</string> </array> - The app is codesigned using a self-signed certificate.

Behaviour: ----------

- If I sudo-run the app's executable in Terminal (i.e. Test.app/Contents/MacOS/test) directly, it works - If I do the same without sudo, I get the output: system.privilege.taskport acquired com.apple.TextEdit pid is 2475 Failed; machErr=(os/kern) failure (5)

- If I run the .app bundle by double-clicking in Finder, or in Terminal using "open Test.app" or "sudo open Test.app" it also fails in the same way.

So in the failure cases I'm told that I do have system.privilege.taskport rights, but task_for_pid() then fails. What vital step am I missing?

Many thanks if you can help,

Ben Staveley-Taylor ben.staveley-taylor@oracle.com

Code: -----

ProcessSerialNumber psn;

// Get pid of TextEdit, assuming it is running NSString *targetProcessBundle = @"com.apple.TextEdit"; if (FindPSNForBundleID(targetProcessBundle, &psn) == noErr) {

// I don't think this should be necessary, but done for verification OSStatus osErr = AcquireTaskportRight();

if (osErr == noErr) { // Convert PSN to PID. pid_t pid; GetProcessPID( &psn, &pid ); NSLog(@"%@ pid is %d", targetProcessBundle, pid);

mach_port_t remoteTask = 0; mach_error_t machErr = task_for_pid( mach_task_self(), pid, &remoteTask );

if (machErr == 0) { NSLog(@"Success"); } else { const char *msg = mach_error_string(machErr); NSLog(@"Failed; machErr=%s (%d)", msg, (int)machErr); } } }

OSStatus AcquireTaskportRight() {

OSStatus stat = noErr; AuthorizationItem taskport_item[] = { {"system.privilege.taskport"},0,0,0 }; AuthorizationRights rights = {1, taskport_item}, *out_rights = NULL; AuthorizationRef authRef; AuthorizationFlags auth_flags = kAuthorizationFlagExtendRights | kAuthorizationFlagPreAuthorize;

stat = AuthorizationCreate (NULL, kAuthorizationEmptyEnvironment, auth_flags, &authRef);

if (stat == errAuthorizationSuccess) { stat = AuthorizationCopyRights ( authRef, &rights, kAuthorizationEmptyEnvironment, auth_flags, &out_rights); }

if (stat == errAuthorizationSuccess) { NSLog(@"system.privilege.taskport acquired"); } else { NSLog(@"Failed to acquire system.privilege.taskport right. Error: %d", (int)stat); }

return stat; }

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/brian%40classicalguitar.ne...

This email sent to brian@classicalguitar.net

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com