sharvil
05/26/2020, 6:59 PM1. Whether the EndpointSecurity Client must be a system extension?
My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.
alessandrogario
05/26/2020, 7:22 PMsharvil
05/26/2020, 7:31 PMes_message->process->platform_binary
instead of the event_exec->target->platform_binary
, that would solve it, right?alessandrogario
05/26/2020, 7:32 PMsharvil
05/26/2020, 7:40 PMESMessage.h
header, especially related to codesigning?If page content has been
* tampered with in the executable, we won't know until that page is paged in. At that time, the
* process will have its CS_VALID bit removed and, if CS_KILL is set, the process will be killed,
* preventing any tampered code to be executed. CS_KILL is generally set for platform binaries and
* for binaries having opted into the hardened runtime. An ES client wishing to detect tampered
* code before it is paged in, for example already at exec time, can use the Security framework to
* do so, but should be cautious of the potentially significant performance cost of doing so. The
* EndpointSecurity subsystem itself has no role in verifying the validity of code signatures.
alessandrogario
05/26/2020, 7:47 PM