security: made permitive system more flexible

cr4zyengineer · cr4zyengineer · commit b5c90f56c7c4 · 2026-02-23T09:30:34.000+01:00
diff --git a/Config.xcconfig b/Config.xcconfig
@@ -9,4 +9,4 @@
 // https://developer.apple.com/documentation/xcode/adding-a-build-configuration-file-to-your-project
 
 VERSION = 0.9.0
-BUILD_NUMBER = 20260223.82.US.seanistethered
+BUILD_NUMBER = 20260223.89.US.seanistethered
diff --git a/Nyxian/LindChain/ProcEnvironment/Surface/entitlement.h b/Nyxian/LindChain/ProcEnvironment/Surface/entitlement.h
@@ -28,6 +28,9 @@
  @abstract Entitlements which are responsible for the permitives of the environment hostsided
  */
 typedef NS_OPTIONS(uint64_t, PEEntitlement) {
+    /*! No entitlements at all */
+    PEEntitlementNone                               = 0,
+    
     /*! Grants other processes with appropriate permitives to get task port of process .*/
     PEEntitlementGetTaskAllowed                     = 1ull << 0,
     
diff --git a/Nyxian/LindChain/ProcEnvironment/Surface/permit.h b/Nyxian/LindChain/ProcEnvironment/Surface/permit.h
@@ -23,6 +23,6 @@
 #import <LindChain/ProcEnvironment/Surface/surface.h>
 #import <LindChain/ProcEnvironment/Surface/proc/proc.h>
 
-BOOL permitive_over_pid_allowed(ksurface_proc_copy_t *proc, pid_t targetPid);
+BOOL permitive_over_pid_allowed(ksurface_proc_copy_t *proc, pid_t targetPid, BOOL allowRootBypass, BOOL allowSessionBypass, BOOL allowPlatformBypass, PEEntitlement entitlementsNeeded, PEEntitlement targetEntitlementsNeeded);
 
 #endif /* PROCENVIRONMENT_PERMIT_H */
diff --git a/Nyxian/LindChain/ProcEnvironment/Surface/permit.m b/Nyxian/LindChain/ProcEnvironment/Surface/permit.m
@@ -22,7 +22,12 @@
 #import <LindChain/ProcEnvironment/Surface/proc/list.h>
 
 BOOL permitive_over_pid_allowed(ksurface_proc_copy_t *proc,
-                                pid_t targetPid)
+                                pid_t targetPid,
+                                BOOL allowRootBypass,
+                                BOOL allowSessionBypass,
+                                BOOL allowPlatformBypass,
+                                PEEntitlement entitlementsNeeded,
+                                PEEntitlement targetEntitlementsNeeded)
 {
     /* null pointer check */
     if(proc == NULL)
@@ -35,7 +40,7 @@ BOOL permitive_over_pid_allowed(ksurface_proc_copy_t *proc,
     pid_t caller_sid = proc_getsid(proc);
     
     /* if proc is root its automatically allowed */
-    if(caller_uid == 0)
+    if(allowRootBypass && caller_uid == 0)
     {
         return YES;
     }
@@ -63,14 +68,6 @@ BOOL permitive_over_pid_allowed(ksurface_proc_copy_t *proc,
     /* locking target process aswell */
     kvo_rdlock(targetProc);
     
-    /* checking if target process is a platformised process and therefore can only be decided at by a other process that is platformised */
-    if(entitlement_got_entitlement(proc_getentitlements(targetProc), PEEntitlementPlatform) &&
-       !entitlement_got_entitlement(proc_getentitlements(proc), PEEntitlementPlatform))
-    {
-        /* nope! */
-        goto out_unlock;
-    }
-    
     /* getting visibility */
     proc_visibility_t vis = get_proc_visibility(proc);
     
@@ -81,9 +78,47 @@ BOOL permitive_over_pid_allowed(ksurface_proc_copy_t *proc,
         goto out_unlock;
     }
     
-    /* checking if the process is allowed to gain permitives naturally over the target */
-    if(caller_uid == proc_getruid(targetProc) ||
+    if(entitlementsNeeded != PEEntitlementNone &&
+       !entitlement_got_entitlement(proc_getentitlements(proc), entitlementsNeeded))
+    {
+        goto out_unlock;
+    }
+    
+    /* handling sid bypass */
+    if(allowSessionBypass &&
+       caller_uid == proc_getruid(targetProc) &&
        caller_sid == proc_getsid(targetProc))
+    {
+        allowed = YES;
+        goto out_unlock;
+    }
+    
+    /* handling platform bypass */
+    if(allowPlatformBypass &&
+       (caller_uid == proc_getruid(targetProc) || caller_uid == 0) &&
+       entitlement_got_entitlement(proc_getentitlements(proc), PEEntitlementPlatform))
+    {
+        allowed = YES;
+        goto out_unlock;
+    }
+    
+    /* checking if target got entitlement if applicable */
+    if(targetEntitlementsNeeded != PEEntitlementNone &&
+       !entitlement_got_entitlement(proc_getentitlements(targetProc), targetEntitlementsNeeded))
+    {
+        /* nope! */
+        goto out_unlock;
+    }
+    
+    /* checking if target process is a platformised process and therefore can only be decided at by a other process that is platformised */
+    if(entitlement_got_entitlement(proc_getentitlements(targetProc), PEEntitlementPlatform) &&
+       !entitlement_got_entitlement(proc_getentitlements(proc), PEEntitlementPlatform))
+    {
+        /* still nope! */
+        goto out_unlock;
+    }
+    
+    if(caller_uid == proc_getruid(targetProc))
     {
         allowed = YES;
     }
diff --git a/Nyxian/LindChain/ProcEnvironment/Surface/sys/compat/gettask.m b/Nyxian/LindChain/ProcEnvironment/Surface/sys/compat/gettask.m
@@ -31,24 +31,6 @@
     pid_t pid = (pid_t)args[0];
     bool name_only = (bool)args[1];
     
-    /* check if the pid passed is the caller them selves */
-    bool isCaller = (pid == proc_getpid(sys_proc_copy_));
-    
-    /*
-     * checking if the caller process got the entitlement to
-     * use tfp or if its the caller it self requesting its
-     * own task port which is allowed in any case.
-     */
-    if(!entitlement_got_entitlement(proc_getentitlements(sys_proc_copy_), PEEntitlementTaskForPid) &&
-       !isCaller &&
-       !name_only)
-    {
-        sys_return_failure(EPERM);
-    }
-    
-    /* check if the pid passed is the kernel process */
-    bool isHost = (pid == proc_getpid(kernel_proc_));
-    
     /* placeholder for target process */
     ksurface_proc_t *target = NULL;
     
@@ -69,57 +51,26 @@
      */
     task_rdlock();
     
-    /*
-     * if host we can skip this crap :3
-     *
-     * and we shall skip it in that case,
-     * because I dont wanna take another reference
-     * of kernel_proc_, way too much CPU time for
-     * a fact we already know lol.
-     */
-    if(!isHost)
-    {
-        /* getting the target process */
-        ksurface_return_t ret = proc_for_pid(pid, &target);
+    /* getting the target process */
+    ksurface_return_t ret = proc_for_pid(pid, &target);
         
-        /* checking if successful */
-        if(ret != SURFACE_SUCCESS ||
-           target == NULL)
-        {
-            errnov = ESRCH;
-            goto out_unlock_failure;
-        }
-        
-        /*
-         * checks if target gives permissions to get the task port of it self
-         * in the first place and if the process allows for it except if the
-         * caller is a special process.
-         */
-        if(!entitlement_got_entitlement(proc_getentitlements(sys_proc_copy_), PEEntitlementPlatform) &&
-           ((!entitlement_got_entitlement(proc_getentitlements(target), PEEntitlementGetTaskAllowed) && (!isCaller || !name_only)) ||
-            !permitive_over_pid_allowed(sys_proc_copy_, pid)))
-        {
-            errnov = EPERM;
-            goto out_proc_release_failure;
-        }
-    }
-    else
+    /* checking if successful */
+    if(ret != SURFACE_SUCCESS ||
+        target == NULL)
     {
-        /* checking if child is entitled */
-        if(!entitlement_got_entitlement(proc_getentitlements(sys_proc_copy_), PEEntitlementPlatform))
-        {
-            errnov = EPERM;
-            goto out_unlock_failure;
-        }
-        
-        /* trying to retain kernel process */
-        if(!kvo_retain(kernel_proc_))
-        {
-            errnov = ESRCH;
-            goto out_unlock_failure;
-        }
+        errnov = ESRCH;
+        goto out_unlock_failure;
+    }
         
-        target = kernel_proc_;
+    /*
+     * checks if target gives permissions to get the task port of it self
+     * in the first place and if the process allows for it except if the
+     * caller is a special process.
+     */
+    if(!permitive_over_pid_allowed(sys_proc_copy_, pid, YES, YES, YES, name_only ? PEEntitlementNone : PEEntitlementTaskForPid, name_only ? PEEntitlementNone : PEEntitlementGetTaskAllowed))
+    {
+        errnov = EPERM;
+        goto out_proc_release_failure;
     }
     
     /* getting flavour */
diff --git a/Nyxian/LindChain/ProcEnvironment/Surface/sys/proc/kill.m b/Nyxian/LindChain/ProcEnvironment/Surface/sys/proc/kill.m
@@ -42,9 +42,7 @@
      * also checks if the caller process has the entitlement to kill
      * and checks if the process has permitive over the other process.
      */
-    if(pid != proc_getpid(sys_proc_copy_) &&
-       (!entitlement_got_entitlement(proc_getentitlements(sys_proc_copy_), PEEntitlementProcessKill) ||
-        !permitive_over_pid_allowed(sys_proc_copy_, pid)))
+    if(!permitive_over_pid_allowed(sys_proc_copy_, pid, YES, YES, YES, PEEntitlementProcessKill, PEEntitlementNone))
     {
         sys_return_failure(EINVAL);
     }

Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,7 @@`
`42`	`42`	`* also checks if the caller process has the entitlement to kill`
`43`	`43`	`* and checks if the process has permitive over the other process.`
`44`	`44`	`*/`
`45`		`- if(pid != proc_getpid(sys_proc_copy_) &&`
`46`		`- (!entitlement_got_entitlement(proc_getentitlements(sys_proc_copy_), PEEntitlementProcessKill) \|\|`
`47`		`- !permitive_over_pid_allowed(sys_proc_copy_, pid)))`
	`45`	`+ if(!permitive_over_pid_allowed(sys_proc_copy_, pid, YES, YES, YES, PEEntitlementProcessKill, PEEntitlementNone))`
`48`	`46`	`{`
`49`	`47`	`sys_return_failure(EINVAL);`
`50`	`48`	`}`