Skip to content

Commit

Permalink
darwin: Disable advanced features in hardened processes
Browse files Browse the repository at this point in the history
- pipe: Avoid socket APIs, and accept that child gating won't work.
- fdt-padder: Avoid padding file-descriptor table, as the system calls
  for doing so are often off limits, and because child gating isn't
  possible there is no point anyway.
- exceptor: Disable to avoid deadlocks in case Mach ports are guarded.

Co-authored-by: Håvard Sørbø <havard@hsorbo.no>
  • Loading branch information
oleavr and hsorbo committed Dec 1, 2022
1 parent 94bef43 commit d31a543
Show file tree
Hide file tree
Showing 6 changed files with 34 additions and 5 deletions.
3 changes: 3 additions & 0 deletions lib/agent/agent.vala
Original file line number Diff line number Diff line change
Expand Up @@ -254,6 +254,9 @@ namespace Frida.Agent {
string[] tokens = agent_parameters.split ("|");
unowned string transport_uri = tokens[0];
bool enable_exceptor = true;
#if DARWIN
enable_exceptor = !Gum.Darwin.query_hardened ();
#endif
bool enable_exit_monitor = true;
bool enable_thread_suspend_monitor = true;
foreach (unowned string option in tokens[1:]) {
Expand Down
3 changes: 3 additions & 0 deletions lib/agent/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,9 @@ extra_link_args = []
if host_os_family != 'windows'
extra_vala_args += ['--pkg=posix']
endif
if host_os_family == 'darwin'
extra_vala_args += ['--pkg=frida-gum-darwin-1.0']
endif

if host_os_family == 'darwin'
extra_link_args += ['-Wl,-exported_symbol,_frida_agent_main']
Expand Down
10 changes: 10 additions & 0 deletions lib/payload/fdt-padder.vala
Original file line number Diff line number Diff line change
Expand Up @@ -30,6 +30,11 @@ namespace Frida {
}

private FileDescriptorTablePadder () {
#if DARWIN
if (Gum.Darwin.query_hardened ())
return;
#endif

open_needed_descriptors ();
}

Expand All @@ -44,6 +49,11 @@ namespace Frida {
}

public void move_descriptor_if_needed (ref int fd) {
#if DARWIN
if (Gum.Darwin.query_hardened ())
return;
#endif

if (fd >= MIN_TABLE_SIZE)
return;

Expand Down
3 changes: 3 additions & 0 deletions lib/payload/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,9 @@ extra_vala_args = []
if host_os_family != 'windows'
extra_vala_args += ['--pkg=posix']
endif
if host_os_family == 'darwin'
extra_vala_args += ['--pkg=frida-gum-darwin-1.0']
endif
if host_os_family == 'linux'
extra_vala_args += ['--pkg=linux']
endif
Expand Down
3 changes: 3 additions & 0 deletions lib/pipe/meson.build
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,9 @@ if host_os_family == 'windows'
]
elif host_os in ['macos', 'ios']
pipe_sources += ['pipe-darwin.c']

system_deps += [gio_unix_dep]
vala_args += ['--pkg=frida-gum-darwin-1.0', '--pkg=posix']
else
pipe_sources += ['pipe-unix.c']

Expand Down
17 changes: 12 additions & 5 deletions lib/pipe/pipe.vala
Original file line number Diff line number Diff line change
Expand Up @@ -118,14 +118,21 @@ namespace Frida {
}
#elif MACOS || IOS
namespace DarwinPipe {
public static Future<SocketConnection> open (string address, Cancellable? cancellable) {
var promise = new Promise<SocketConnection> ();
public static Future<IOStream> open (string address, Cancellable? cancellable) {
var promise = new Promise<IOStream> ();

try {
var fd = _consume_stashed_file_descriptor (address);
var socket = new Socket.from_fd (fd);
var connection = SocketConnection.factory_create_connection (socket);
promise.resolve (connection);
IOStream stream;
if (Gum.Darwin.query_hardened ()) {
var input = new UnixInputStream (fd, true);
var output = new UnixOutputStream (fd, false);
stream = new SimpleIOStream (input, output);
} else {
var socket = new Socket.from_fd (fd);
stream = SocketConnection.factory_create_connection (socket);
}
promise.resolve (stream);
} catch (GLib.Error e) {
promise.reject (e);
}
Expand Down

0 comments on commit d31a543

Please sign in to comment.