hoakley August 14, 2018 Macs, Technology

Mojave’s privacy protection and command tools: a collision in which the user is the loser

I have been pressing on with getting my apps notarized for Mojave, but stumbled into a curious problem: Apple Notary Service only works with fully-fledged apps. I have looked back at the presentation about it at WWDC (Session 702), and can’t find any mention of command tools.

Apps and command tools are formed quite differently. An app is a structured bundle containing executable code, code signatures, an Info.plist property list, and all sorts of other files. When it’s notarized, additional signatures are added, which Mojave knows how to handle.

In contrast, a command tool is normally a single file containing executable code, with a code signature tacked on. There’s no property list in which to claim any capabilities, and it seems no way of either ‘hardening’ or notarizing it.

Although users primarily see apps running on macOS, if you take a few moments to browse the list of active processes in Activity Monitor, you’ll notice that most of those are not apps at all, but faceless processes which follow the command tool model instead. Most are run by macOS itself, but depending on what you do with your Mac, many could be developed by third parties.

Command tools are a bit of a problem for Mojave’s new privacy and other protection. Many are intended to work quite low down inside your Mac, having access to files and folders which you don’t normally see. They may be run interactively from Terminal, in shell scripts, or through scheduling mechanisms like LaunchAgents. When they do run, you could be a long way from your Mac. They could be running an automated backup, or indexing metadata in your photos and videos.

In the newly protected world of Mojave, macOS can handle this one of three ways:

it can treat all third-party command tools as lacking the capabilities to access private data,
it can treat all third-party command tools as having full capabilities to access private data,
it can provide an authorisation mechanism by which specific third-party command tools can gain the capabilities to access private data.

So far, Apple has not indicated which of these will be used, and there seems to be no support for any authorisation mechanism equivalent to hardening and notarization for apps.

Assuming that one of the first two is enforced, the user will as usual be the loser. In the first case, all command tools other than Apple’s will cease working on significant portions of each user’s Home folder. If you use a third-party backup system which depends on command tools, your backups will be rather smaller and less useful than they were before.

With apps, the way that macOS responds to an app attempting to access protected data is to crash the app immediately. If the same happens with command tools, then not only will tasks run by them not do what they’re expected to, but many will crash out every time that they’re run on protected data.

On the other hand, giving command tools free reign over protected data provides an easy bypass for Mojave’s privacy protection. In particular, as it is common for malware to follow the command tool model, that would defeat much of the purpose of protection. But it could also be used as a backdoor for regular apps to gain access to private data, as they can run command tools to obtain whatever information they might want, even though they could be hardened and notarized.

In Mojave, app hardening and notarization are only voluntary, but from its release date privacy protection will be enforced. Apple needs to remember that, unlike iOS, in macOS there are many systems out there which rely on third-party command tools for getting their work done.

10Comments

Add yours

1

Randy Saldinger (Mothers Ruin Software) on August 14, 2018 at 2:14 pm

Interesting questions. FWIW, command line tools CAN have both Info.plists and entitlements.

For the Info.plist, turn on the “Create Info.plist Section in Binary” (CREATE_INFOPLIST_SECTION_IN_BINARY) setting, and the Info.plist designated by the usual “Info.pilst File” setting will get embedded into a dyld load command. Entitlements are part of the code signature, just the way they are for app bundles.

How the various Info.plist and entitlement keys behave in a command line tool on Mojave, I don’t know!

As for notarization, it’s possible that Apple assumes they will be installed via a package — and packages are supposed to be notarizable. But I haven’t tried to notarize a package myself, and have no clue what effect it actually has. (Even when notarizing an app bundle that contains a command line tool, the notarization log calls out the embedded frameworks and XPC service bundles, but not the command line tool. Maybe it will some day, though.)

LikeLiked by 1 person
- 2
  
  hoakley on August 14, 2018 at 2:22 pm
  
  Thanks.
  In theory then it might be possible to add capabilities to a command tool in Xcode, and effectively make it ‘hardened’. I’ll have a play with that in the new betas and see if there is a way ahead.
  Notarizing a package – which would be much easier if Xcode could actually make and sign installer packages – would only assure the installation, and wouldn’t grant the installed tool(s) any capabilities.
  And of course these only really work for tools built in Xcode – trying to build all this into scripted builds of open source packages might be less entertaining.
  It looks to me like no one thought about these things, yet.
  Howard.
  
  LikeLike
  - 3
    
    Randy Saldinger (Mothers Ruin Software) on August 14, 2018 at 3:30 pm
    
    Hmmm. Well, notarization doesn’t ever grant capabilities; only entitlements do that.
    
    Even for a normal app: enabling the hardened runtime removes capabilities that would otherwise be present, such as the ability to *ask* for access to certain kinds of private data. Entitlements selectively give those capabilities back.
    
    Notarizing is only a record of the fact that the specific app was vetted by Apple’s service, the requirements of which are (intentionally?) opaque and presumably ever-changing. But obviously it includes using the hardened runtime, and (one hopes) some sort of malware checking. It appears that Apple keeps a record of the bits of code (apps, as well as frameworks and XPC services inside those apps) that have been so checked and notarized, in the form of their code-signature hashes. When you “staple” the notarization to the app bundle (or enclosing dmg), you’re basically attaching the same evidence in a cryptographically-signed-by-Apple form, which simply avoids macOS having to connect over the Internet to check the code signature hashes with Apple.
    
    In theory, when a package is successfully notarized, everything it installs would be considered notarized, though I don’t know if that’s true or how it works. Obviously, vetting everything inside a package is a lot more complex than vetting everything inside a single app bundle.
    
    LikeLiked by 1 person
    - 4
      
      hoakley on August 14, 2018 at 3:37 pm
      
      So ‘hardening’ a command tool or app would only limit its abilities to access files in the newly protected areas?
      In that case, unhardened command tools and apps should have no problems accessing protected files, which isn’t what I understood from WWDC or Mojave betas.
      In the case of the new capabilities (rather than App Store entitlements), I thought that declaring the capability enabled the user to choose whether to let an app have access.
      Howard.
      
      LikeLike
  - 5
    
    Randy Saldinger (Mothers Ruin Software) on August 14, 2018 at 4:00 pm
    
    I believe that an unhardened app can ask for access to protected files; the user is still queried, but it’s allowed to make the request. (Whereas a hardened app is allowed to ask only if it also has the right entitlement.)
    
    So, yeah, unhardened apps actually have more capabilities than hardened ones do. However, at some undetermined point in the future, Apple’s gonna flip a switch, and hardened apps will have the advantage of being allowed to run at all (by virtue of having been notarized, which indirectly assures hardening). So whatever unhardened (non-Apple) apps can do today is temporary.
    
    I view this as a transition phase, with the ideal being that useful apps get hardened (and therefore notarized), and will continue to run even when non-notarized, non-hardened apps are turned off.
    
    Again, how much of that scheme currently is extended to command line tools, I don’t know and haven’t tested. I wouldn’t be surprised if the intent is that a similar set of rules apply to all code, including command line tools, though.
    
    LikeLike
    - 6
      
      hoakley on August 14, 2018 at 10:04 pm
      
      For a command tool, that seems to be the worst of all possible worlds.
      Before notarization is required, unhardened tools will only be able to access protected areas if the user adds them to the Privacy pane listings, which they can’t do because it only handles full apps.
      Even if/when you can notarize tools, they still can’t pass through user consent.
      And when they try to access a protected area, like all other code, they crash immediately.
      Oh boogaloo.
      Howard.
      
      LikeLike
  - 7
    
    Randy Saldinger (Mothers Ruin Software) on August 15, 2018 at 1:28 am
    
    I guess my speculation wasn’t clear (and I *am* only speculating here).
    
    I’m suggesting that command line tools might not be all that different than apps. That is, if an unhardened app asks for (say) location data, the user is asked to grant permission, and if they consent, it proceeds. If a hardened app asks for location data, and it has the entitlement, the user is asked the same way. Only if the app is hardened and *lacks* the entitlement does it get killed — presumably on the assumption that a (hardened) app that is asking for data that it doesn’t declare is an app that is being exploited in some way.
    
    Yes, for a command line tool, there is the question of whether and how the user is asked. The only piece of this that I’ve personally witnessed is the automation (AppleEvents) permission, which in the most recent Mojave betas manifests as the Terminal wanting to control another app — kinda confusing, and not very useful if you are ssh’d into the machine. It does seem like there should be some way to add individual command-line tools to the permission lists, but who knows if that will happen…
    
    LikeLiked by 1 person
    - 8
      
      hoakley on August 15, 2018 at 8:00 pm
      
      I had a chance to check behaviour in the current beta – with only around a month to go before GM. As in all previous versions, all attempts to access protected files, even from non-hardened apps given ‘permission’ through the Privacy pane, result in an immediate crash.
      All the Privacy pane setting currently does is allow the designated app to see inside the protected folder. In some cases (Photos libraries), some files can be accessed, but in calendars, for example, the new TCC system blows the app away the moment it asks to see protected files or their extended attributes.
      Unless this is fixed soon, a great number of tools are completely screwed.
      Howard.
      
      LikeLike
- 9
  
  hoakley on August 14, 2018 at 2:59 pm
  
  OK – there is a hardened option in the code-signing options, but that doesn’t seem to bring up any controls over capabilities. What’s more, it doesn’t appear that capabilities are included in the Info.plist, so there doesn’t seem to be anywhere to add them, nor any clue as to what the flags are.
  It all looks incomplete to me – most of the controls present, but not really functional or documented.
  Whether any of this changes the actual capabilities of a command tool is also anyone’s guess.
  Howard.
  
  LikeLike
  - 10
    
    Randy Saldinger (Mothers Ruin Software) on August 14, 2018 at 3:35 pm
    
    That may (or may not) be a limitation of Xcode’s Capabilities UI, which is really just a thin layer over the entitlements property list that gets used at code-signing time. You could create your own entitlements plist (using one from a normal app target as a template), and point the command line tool target to it using the CODE_SIGN_ENTITLEMENTS build setting.
    
    In any case, capabilities are really only specified via the entitlements. The Info.plist only comes into it for things like “purpose strings” that are required by some capabilities.
    
    I also don’t know what actual effect this has on the command line tool at runtime. And no argument that it looks a bit half-baked…
    
    LikeLiked by 1 person

·Comments are closed.

Share this:

Related