Runtime Protections
When a process is started, the kernel checks to see whether the main executable is protected on disk or is signed with an special system entitlement. If either is true, then a flag is set to denote that it is protected against modification. Any attempt to attach to a protected process is denied by the kernel.
Attempting to get the Mach task for a process using the task_for_pid
function or attempting to get the permissions of a set of tasks using the processor_set_tasks
function fails, returning EPERM
.
Spawning children processes of processes restricted by System Integrity Protection, such as by launching a helper process in a bundle with NSTask
or calling the exec(2)
command, resets the Mach special ports of that child process. Any dynamic linker (dyld
) environment variables, such as DYLD_LIBRARY_PATH
, are purged when launching protected processes.
DTrace cannot be used to inspect system processes, whether from the Instruments application or the dtrace(1)
command-line tool.
Attempting to attach to a system process, such as with LLDB, fails—even when running as root with sudo:
$> sudo lldb -n Finder |
(lldb) process attach —name "Finder" |
error: attach failed: attach failed: lost connection |
Copyright © 2015 Apple Inc. All Rights Reserved. Terms of Use | Privacy Policy | Updated: 2015-09-16