sharvil05/26/2020, 6:59 PM
1. Whether the EndpointSecurity Client must be a system extension?
My understanding is that EndpointSecurity require that clients run as root and have the entitlement, meaning there’s no specific requirement that the client be a system extension. This is in contrast to other subsystems, like system-wide NetworkExtensions, which must be packaged as system extensions.
sharvil05/26/2020, 7:31 PM
instead of the
, that would solve it, right?
sharvil05/26/2020, 7:40 PM
header, especially related to codesigning?
If page content has been * tampered with in the executable, we won't know until that page is paged in. At that time, the * process will have its CS_VALID bit removed and, if CS_KILL is set, the process will be killed, * preventing any tampered code to be executed. CS_KILL is generally set for platform binaries and * for binaries having opted into the hardened runtime. An ES client wishing to detect tampered * code before it is paged in, for example already at exec time, can use the Security framework to * do so, but should be cautious of the potentially significant performance cost of doing so. The * EndpointSecurity subsystem itself has no role in verifying the validity of code signatures.