[英]IOKit and TrustedBSD policy
How can I use the MAC policies from TrustedBSD inside an IOKit kernel extension? 如何在IOKit内核扩展中使用TrustedBSD的MAC策略?
I already have a working IOKit extension and I would like to add some policies to it. 我已经有一个工作的IOKit扩展,我想添加一些策略。
For testing, I wrote two dummy extensions, one using IOKit and a generic one. 为了测试,我写了两个虚拟扩展,一个使用IOKit和一个通用扩展。
The generic extension is working flawlessly, whilst the IOKit one is generating a link error for the symbols mac_policy_register
and mac_policy_unregister
. 通用扩展正在完美地工作,而IOKit正在为符号mac_policy_register
和mac_policy_unregister
生成链接错误。
$ sudo kextutil -tn /tmp/MACPolicy.kext
kxld[com.Test.MACPolicy]: The following symbols are unresolved for this kext:
kxld[com.Test.MACPolicy]: mac_policy_register(mac_policy_conf*, unsigned int*, void*)
kxld[com.Test.MACPolicy]: mac_policy_unregister(unsigned int)
Link failed (error code 5).
Check library declarations for your kext with kextlibs(8).
$ sudo kextlibs -v 6 -undef-symbols /tmp/MACPolicy.kext
Kext user-space log filter changed from 0xff2 to 0xfff.
Kext kernel-space log filter changed from 0xff2 to 0xfff.
Kext library architecture set to x86_64.
Kext library architecture is x86_64 (unchanged).
For all architectures:
com.apple.kpi.iokit = 15.4
com.apple.kpi.libkern = 15.4
For x86_64:
2 symbols not found in any library kext:
__Z21mac_policy_unregisterj
__Z19mac_policy_registerP15mac_policy_confPjPv
I already added the specified libraries to my Info.plist
, as well as com.apple.kpi.dsep
, com.apple.kpi.unsupported
, com.apple.kpi.mach
or any combination of those, with no success. 我已经将指定的库添加到我的Info.plist
,以及com.apple.kpi.dsep
, com.apple.kpi.unsupported
, com.apple.kpi.mach
或它们的任意组合,但没有成功。
All the information I could found about this was this thread on the darwin-kernel discussion list. 我能找到的关于这个的所有信息都是darwin-kernel讨论列表中的这个帖子 。
I am targeting OS X 10.11 for now. 我现在正在瞄准OS X 10.11。
You should be aware, despite on fact that this functionality was official added , based on OS X v10.11 API Diffs Kernel Changes for Objective-C 你应该知道,尽管事实上这个功能是官方添加的 ,基于OS X v10.11 API Difps Kernel Objective for Objective-C
Unfortunately , started from High Sierra (10.13) MAC policy API was totally closed for third party developers. 不幸的是 ,从High Sierra(10.13)开始,MAC策略API对第三方开发人员完全关闭。 Apple deleted all references for mac_policy_register
, mac_policy_unregister
, mac_policy_conf
, mac_policy_ops
and other main MAC policy parts from own documentations. Apple从自己的文档中删除了对mac_policy_register
, mac_policy_unregister
, mac_policy_conf
, mac_policy_ops
和其他主要MAC策略部分的所有引用。
Notice how the missing symbols are mangled as if they were C++ functions, but the functions in questions are actually plain C functions. 注意丢失的符号如何被破坏,好像它们是C ++函数,但问题中的函数实际上是普通的C函数。 This means when you're calling them from C++, they're using a declaration that's missing the extern "C"
linkage specifier. 这意味着当你从C ++调用它们时,它们正在使用一个缺少extern "C"
链接说明符的声明。 The MAC headers don't take into account C++, so when including them from a .cpp file, you need to wrap them in an extern "C"
block explicitly, like so: MAC头不考虑C ++,因此当从.cpp文件中包含它们时,需要将它们明确地包装在extern "C"
块中,如下所示:
extern "C" {
#include <security/mac_policy.h>
}
If your #include
is in a mixed C/C++ header file, you'll need to make it conditional on C++ compilation using #ifdef __cplusplus
as usual. 如果#include
在混合的C / C ++头文件中,则需要像往常一样使用#ifdef __cplusplus
成为C ++编译的条件。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.