1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
content / common / mac / task_port_policy.cc [blame]
// Copyright 2022 The Chromium Authors
// Use of this source code is governed by a BSD-style license that can be
// found in the LICENSE file.
#include "content/common/mac/task_port_policy.h"
extern "C" {
int __sandbox_ms(const char* policy, int op, void* arg);
}
namespace content {
namespace {
// From AppleMobileFileIntegrity.kext`policy_syscall() on macOS 12.4 21F79.
enum AmfiStatusFlags {
// Boot arg: `amfi_unrestrict_task_for_pid`.
kAmfiOverrideUnrestrictedDebugging = 1 << 0,
// Boot arg: `amfi_allow_any_signature`.
kAmfiAllowInvalidSignatures = 1 << 1,
// Boot arg: `amfi_get_out_of_my_way`.
kAmfiAllowEverything = 1 << 2,
};
} // namespace
bool MachTaskPortPolicy::AmfiIsAllowEverything() const {
return amfi_status_retval == 0 && (amfi_status & kAmfiAllowEverything) != 0;
}
MachTaskPortPolicy GetMachTaskPortPolicy() {
MachTaskPortPolicy policy;
// Undocumented MACF system call to Apple Mobile File Integrity.kext. In
// macOS 12.4 21F79 (and at least back to macOS 12.0), this returns a
// bitmask containing the AMFI status flags.
policy.amfi_status_retval = __sandbox_ms("AMFI", 0x60, &policy.amfi_status);
return policy;
}
} // namespace content