From bd01480ad65658bfceac9b127a6ddd5b92662348 Mon Sep 17 00:00:00 2001 From: James Magahern Date: Wed, 3 Aug 2022 16:56:53 -0700 Subject: [PATCH] Don't build using restricted entitlements by default. --- MessagesBridge.xcodeproj/project.pbxproj | 6 ++---- README.md | 3 +++ ...ments.plist => kordophoned-RestrictedEntitlements.plist} | 0 3 files changed, 5 insertions(+), 4 deletions(-) rename kordophone/{kordophoned-Entitlements.plist => kordophoned-RestrictedEntitlements.plist} (100%) diff --git a/MessagesBridge.xcodeproj/project.pbxproj b/MessagesBridge.xcodeproj/project.pbxproj index c7f26ac..b4d77d1 100644 --- a/MessagesBridge.xcodeproj/project.pbxproj +++ b/MessagesBridge.xcodeproj/project.pbxproj @@ -238,7 +238,7 @@ CD83E161219BE91500F4CCEA /* libagentHook.dylib */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.dylib"; includeInIndex = 0; path = libagentHook.dylib; sourceTree = BUILT_PRODUCTS_DIR; }; CD83E165219BE91600F4CCEA /* agentHook.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = agentHook.m; sourceTree = ""; }; CD83E1B5219BF78E00F4CCEA /* hookAgent.sh */ = {isa = PBXFileReference; lastKnownFileType = text.script.sh; path = hookAgent.sh; sourceTree = ""; }; - CD936A2F289B31740093A1AC /* kordophoned-Entitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "kordophoned-Entitlements.plist"; sourceTree = ""; }; + CD936A2F289B31740093A1AC /* kordophoned-RestrictedEntitlements.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = "kordophoned-RestrictedEntitlements.plist"; sourceTree = ""; }; CD936A30289B353F0093A1AC /* MBIMErrorResponse.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MBIMErrorResponse.h; sourceTree = ""; }; CD936A31289B353F0093A1AC /* MBIMErrorResponse.m */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.objc; path = MBIMErrorResponse.m; sourceTree = ""; }; CDDCF78B283F398C0087ABDF /* MBIMDeleteConversationOperation.h */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.c.h; path = MBIMDeleteConversationOperation.h; sourceTree = ""; }; @@ -580,7 +580,7 @@ 1A0C446D219A4BCD00F2AC00 /* Bridge */, CDF62334219A895D00690038 /* main.m */, 1AAB32B221F835BD004A2A72 /* KPServer.pch */, - CD936A2F289B31740093A1AC /* kordophoned-Entitlements.plist */, + CD936A2F289B31740093A1AC /* kordophoned-RestrictedEntitlements.plist */, ); path = kordophone; sourceTree = ""; @@ -1132,7 +1132,6 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ENABLE_MODULES = NO; - CODE_SIGN_ENTITLEMENTS = "kordophone/kordophoned-Entitlements.plist"; CODE_SIGN_IDENTITY = "-"; CODE_SIGN_STYLE = Automatic; GCC_PREFIX_HEADER = kordophone/KPServer.pch; @@ -1149,7 +1148,6 @@ isa = XCBuildConfiguration; buildSettings = { CLANG_ENABLE_MODULES = NO; - CODE_SIGN_ENTITLEMENTS = "kordophone/kordophoned-Entitlements.plist"; CODE_SIGN_IDENTITY = "-"; CODE_SIGN_STYLE = Automatic; GCC_PREFIX_HEADER = kordophone/KPServer.pch; diff --git a/README.md b/README.md index b08eeed..000dd49 100644 --- a/README.md +++ b/README.md @@ -7,6 +7,9 @@ sudo defaults write /Library/Preferences/com.apple.security.coderequirements Ent Maybe a better thing to do is to DYLD_PRELOAD `imagent` and swizzle `IMDAuditTokenTaskHasEntitlement` to always return YES. +Included in the project is "kordophoned-RestrictedEntitlements.plist", which contains all necessary restricted entitlements. +On production macOS builds, the kernel will kill kordophoned immediately if it's signed using restricted entitlements, so agent hook is a +better option when running on prod machines. By default, the project is configured to ignore kordophoned-RestrictedEntitlements.plist when building. ## Building/linking If you get dyld errors running from the command line, use `install_name_tool` to update the @rpath (where @rpath points to where linked Frameworks like GCDWebServer is). diff --git a/kordophone/kordophoned-Entitlements.plist b/kordophone/kordophoned-RestrictedEntitlements.plist similarity index 100% rename from kordophone/kordophoned-Entitlements.plist rename to kordophone/kordophoned-RestrictedEntitlements.plist