Post not yet marked as solved
Well, let's imagine I have a python script that does something easy to do in python, but hard in swift : script.py
I would like to run this python script on a macOS system, but to protect the python process against tempering, I would like this python process to have a hardened runtime.
In the link you sent, there is a fully fledged app, in addition to the script. So I was wondering if there was a simpler way to do this, without the full app.
Also, with the technique described in the link, I don't know if the runtime of command-line tool itself is actually protected with hardened runtime?
Post not yet marked as solved
Thanks for the link. I saw this, but this is not exactly the use case : I was hoping to have only a simple command line tool, not embedded inside an app. I guess it's not really possible.
Post not yet marked as solved
Thanks for your answer.
I missed that list was a legacy command. I'll study further the launchctl man page to understand how to list login items. It's not clear on first read what the right command is.
I wish there was a command line/system wide way to manage services. I understand your point that managing them from the app is good, but I also feel we should be able to control it from the OS, to avoid rogue services/malware, etc.
Post not yet marked as solved
Ah, that is good to know. Thank you.
Post not yet marked as solved
I understand, thank you for your answer.
Regarding your point "make sure to re-sign any nested code, from the inside out" is it enough to use the "deep" option when doing so?
Specifically, is it good enough to use this command :
codesign -s $ID_NUM -f --deep --options runtime --entitlements new_entitlements.txt $APPLICATIONPATH
Post not yet marked as solved
Ah, that makes sense. Thank you, I was missing that piece.
Ah, I have digged a bit further. If I resign the app with the original entitlements, then it works properly. So it seems the issue was a compatibility one: apps signed in older version of macOS do not honor the entitlement. Simply resigning under the new OS seems to solve the problem.
It feels like a pretty serious bug to me. This entitlement is meant for safety, and it seems that the code underpinning it is broken.
I feel I should file a bug report to prevent
Other developers building apps with that entitlements set as false, not knowing this fails
Other bugs in that code (a bug might hide others)
I understand your point about binary compatibility, but at the very least a warning on the documentation page not to explicitly set the value as false would be useful.
Ultimately, I'll rely on your judgement though, what do you think?
Hi Eskimo, thanks for your help.
when I remove the line entirely (but keep the sandbox entitlement), it seems it is not making network connections.
(I am not entirely sure because the network connections are only sporadic, but that seems to be the case).
That is odd, is that entitlement broken?
Post not yet marked as solved
Thanks for your response.when looking at the entitlements of the embedded provisioning profile with "security cms" as you suggested, I see the correct app identifier:<key>com.apple.application-identifier</key><string>RUXT127L01.com.team.AppName.NetworkExtension</string>So this does not explain the first error I see (ignoring the identifier).However, it does not contain the com.apple.security.application-groups entitlement. So maybe that explain the second error. The profile is managed by xcode. How can I add this entitlement to the provisioning profile ?
Post not yet marked as solved
I see, that makes sense. Thanks for the explanation, I'll look into that.
Post not yet marked as solved
Thanks for your response.I am surprised that this would create issues on the memory side. NEFilterRule has a size on the heap of 24 bytes. So 50,000 objects of this size would be about 1.14 MB. That's low even for an iPhone ?I am not entirely sure what you mean by processing the IP addresses into a smaller set of rules. I am not clear how that could be done.From the quick and dirty measurement I made, by doing (2) and organizing the ip addresses into as set, the lookup takes about 200 us (0.2 milliseconds). I was wondering if doing (1) could beat that, but from your answer you do not seem to be bullish on (1).
Post not yet marked as solved
I missed your reply. Thanks a lot for that, it’s very interesting. You are exactly right in understanding what I am trying to do. I also arrived to the conclusion that I could not really run my network extension in a sandbox. It’s a bit frustrating as I think sandbox are excellent for security. But it’s good to hear it confirmed, I won’t spend more time trying to make it work. Your project seems very interesting. I didn’t move to support unsigned app yet. How do you do this ? Do you take a sha256 hash of the staticCode, and compare it to your stored value ? Something like that ? Thanks again
Post not yet marked as solved
Do you know what "checkTrustedAnchors" does exactly ?It seems great, but I can't find documentation on exactly what it does (beyond the header).
