-
Notifications
You must be signed in to change notification settings - Fork 6
Expand file tree
/
Copy pathcodesign.h
More file actions
118 lines (95 loc) · 5.88 KB
/
codesign.h
File metadata and controls
118 lines (95 loc) · 5.88 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
/*
* Copyright (c) 2006 Apple Computer, Inc. All rights reserved.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_START@
*
* This file contains Original Code and/or Modifications of Original Code
* as defined in and that are subject to the Apple Public Source License
* Version 2.0 (the 'License'). You may not use this file except in
* compliance with the License. The rights granted to you under the License
* may not be used to create, or enable the creation or redistribution of,
* unlawful or unlicensed copies of an Apple operating system, or to
* circumvent, violate, or enable the circumvention or violation of, any
* terms of an Apple operating system software license agreement.
*
* Please obtain a copy of the License at
* http://www.opensource.apple.com/apsl/ and read it before using this file.
*
* The Original Code and all software distributed under the License are
* distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER
* EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES,
* INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY,
* FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT.
* Please see the License for the specific language governing rights and
* limitations under the License.
*
* @APPLE_OSREFERENCE_LICENSE_HEADER_END@
*/
#ifndef _SYS_CODESIGN_H_
#define _SYS_CODESIGN_H_
#include <sys/types.h>
/* code signing attributes of a process */
#define CS_VALID 0x00000001 /* dynamically valid */
#define CS_ADHOC 0x00000002 /* ad hoc signed */
#define CS_GET_TASK_ALLOW 0x00000004 /* has get-task-allow entitlement */
#define CS_INSTALLER 0x00000008 /* has installer entitlement */
#define CS_FORCED_LV 0x00000010 /* Library Validation required by Hardened System Policy */
#define CS_INVALID_ALLOWED 0x00000020 /* (macOS Only) Page invalidation allowed by task port policy */
#define CS_HARD 0x00000100 /* don't load invalid pages */
#define CS_KILL 0x00000200 /* kill process if it becomes invalid */
#define CS_CHECK_EXPIRATION 0x00000400 /* force expiration checking */
#define CS_RESTRICT 0x00000800 /* tell dyld to treat restricted */
#define CS_ENFORCEMENT 0x00001000 /* require enforcement */
#define CS_REQUIRE_LV 0x00002000 /* require library validation */
#define CS_ENTITLEMENTS_VALIDATED 0x00004000 /* code signature permits restricted entitlements */
#define CS_NVRAM_UNRESTRICTED 0x00008000 /* has com.apple.rootless.restricted-nvram-variables.heritable entitlement */
#define CS_RUNTIME 0x00010000 /* Apply hardened runtime policies */
#define CS_LINKER_SIGNED 0x00020000 /* Automatically signed by the linker */
#define CS_ALLOWED_MACHO (CS_ADHOC | CS_HARD | CS_KILL | CS_CHECK_EXPIRATION | \
CS_RESTRICT | CS_ENFORCEMENT | CS_REQUIRE_LV | CS_RUNTIME | CS_LINKER_SIGNED)
#define CS_EXEC_SET_HARD 0x00100000 /* set CS_HARD on any exec'ed process */
#define CS_EXEC_SET_KILL 0x00200000 /* set CS_KILL on any exec'ed process */
#define CS_EXEC_SET_ENFORCEMENT 0x00400000 /* set CS_ENFORCEMENT on any exec'ed process */
#define CS_EXEC_INHERIT_SIP 0x00800000 /* set CS_INSTALLER on any exec'ed process */
#define CS_KILLED 0x01000000 /* was killed by kernel for invalidity */
#define CS_NO_UNTRUSTED_HELPERS 0x02000000 /* kernel did not load a non-platform-binary dyld or Rosetta runtime */
#define CS_DYLD_PLATFORM CS_NO_UNTRUSTED_HELPERS /* old name */
#define CS_PLATFORM_BINARY 0x04000000 /* this is a platform binary */
#define CS_PLATFORM_PATH 0x08000000 /* platform binary by the fact of path (osx only) */
#define CS_DEBUGGED 0x10000000 /* process is currently or has previously been debugged and allowed to run with invalid pages */
#define CS_SIGNED 0x20000000 /* process has a signature (may have gone invalid) */
#define CS_DEV_CODE 0x40000000 /* code is dev signed, cannot be loaded into prod signed code (will go away with rdar://problem/28322552) */
#define CS_DATAVAULT_CONTROLLER 0x80000000 /* has Data Vault controller entitlement */
#define CS_ENTITLEMENT_FLAGS (CS_GET_TASK_ALLOW | CS_INSTALLER | CS_DATAVAULT_CONTROLLER | CS_NVRAM_UNRESTRICTED)
/* csops operations */
#define CS_OPS_STATUS 0 /* return status */
#define CS_OPS_MARKINVALID 1 /* invalidate process */
#define CS_OPS_MARKHARD 2 /* set HARD flag */
#define CS_OPS_MARKKILL 3 /* set KILL flag (sticky) */
#define CS_OPS_PIDPATH 4 /* get executable's pathname */ //not supported anymore
#define CS_OPS_CDHASH 5 /* get code directory hash */
#define CS_OPS_PIDOFFSET 6 /* get offset of active Mach-o slice */
#define CS_OPS_ENTITLEMENTS_BLOB 7 /* get entitlements blob */
#define CS_OPS_MARKRESTRICT 8 /* set RESTRICT flag (sticky) */
#define CS_OPS_SET_STATUS 9 /* set codesign flags */
#define CS_OPS_BLOB 10 /* get codesign blob */
#define CS_OPS_IDENTITY 11 /* get codesign identity */
#define CS_OPS_CLEARINSTALLER 12 /* clear INSTALLER flag */
#define CS_OPS_CLEARPLATFORM 13 /* clear platform binary status (DEVELOPMENT-only) */
#define CS_OPS_TEAMID 14 /* get team id */
#define CS_OPS_CLEAR_LV 15 /* clear the library validation flag */
#define CS_OPS_DER_ENTITLEMENTS_BLOB 16 /* get der entitlements blob */
#define CS_OPS_VALIDATION_CATEGORY 17 /* get process validation category */
#define CS_MAX_TEAMID_LEN 64
#ifndef KERNEL
__BEGIN_DECLS
/* code sign operations */
int csops(pid_t pid, unsigned int ops, void * useraddr, size_t usersize);
__END_DECLS
#endif /* ! KERNEL */
#endif /* _SYS_CODESIGN_H_ */
struct cs_blob {
uint32_t type;
uint32_t len;
char data[];
};