├── .gitignore ├── PrivilegedTaskRunner.xcodeproj ├── project.pbxproj ├── project.xcworkspace │ ├── contents.xcworkspacedata │ └── xcuserdata │ │ └── antti.xcuserdatad │ │ └── UserInterfaceState.xcuserstate └── xcuserdata │ └── antti.xcuserdatad │ ├── xcdebugger │ └── Breakpoints_v2.xcbkptlist │ └── xcschemes │ ├── PrivilegedTaskRunner.xcscheme │ ├── PrivilegedTaskRunnerHelper.xcscheme │ └── xcschememanagement.plist ├── PrivilegedTaskRunner ├── AppAuthorizationRights.swift ├── AppDelegate.swift ├── AppViewController.swift ├── Assets.xcassets │ └── AppIcon.appiconset │ │ └── Contents.json ├── Base.lproj │ └── MainMenu.xib └── Info.plist ├── PrivilegedTaskRunnerHelper ├── CodesignChecker.swift ├── PrivilegedTaskRunnerHelper-Info.plist ├── PrivilegedTaskRunnerHelper-Launchd.plist ├── PrivilegedTaskRunnerHelper.swift ├── ProcessHelper.swift ├── RemoteProcessProtocol.swift └── main.swift └── README.md /.gitignore: -------------------------------------------------------------------------------- 1 | .DS_Store 2 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/project.pbxproj: -------------------------------------------------------------------------------- 1 | // !$*UTF8*$! 2 | { 3 | archiveVersion = 1; 4 | classes = { 5 | }; 6 | objectVersion = 46; 7 | objects = { 8 | 9 | /* Begin PBXBuildFile section */ 10 | E42084B7215389BC008A9A5F /* CodesignChecker.swift in Sources */ = {isa = PBXBuildFile; fileRef = E42084B6215389BC008A9A5F /* CodesignChecker.swift */; }; 11 | E43EF1AF1F3C527700278CCA /* AppDelegate.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1AE1F3C527700278CCA /* AppDelegate.swift */; }; 12 | E43EF1B31F3C527700278CCA /* Assets.xcassets in Resources */ = {isa = PBXBuildFile; fileRef = E43EF1B21F3C527700278CCA /* Assets.xcassets */; }; 13 | E43EF1C41F3C52BA00278CCA /* main.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1C31F3C52BA00278CCA /* main.swift */; }; 14 | E43EF1C91F3C53B900278CCA /* AppViewController.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1C81F3C53B900278CCA /* AppViewController.swift */; }; 15 | E43EF1CF1F3C544000278CCA /* PrivilegedTaskRunnerHelper.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1CC1F3C544000278CCA /* PrivilegedTaskRunnerHelper.swift */; }; 16 | E43EF1D01F3C544000278CCA /* ProcessHelper.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1CD1F3C544000278CCA /* ProcessHelper.swift */; }; 17 | E43EF1D11F3C544000278CCA /* RemoteProcessProtocol.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1CE1F3C544000278CCA /* RemoteProcessProtocol.swift */; }; 18 | E43EF1D41F3C54EC00278CCA /* MainMenu.xib in Resources */ = {isa = PBXBuildFile; fileRef = E43EF1D21F3C54EC00278CCA /* MainMenu.xib */; }; 19 | E43EF1D51F3C591F00278CCA /* PrivilegedTaskRunnerHelper.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1CC1F3C544000278CCA /* PrivilegedTaskRunnerHelper.swift */; }; 20 | E43EF1D61F3C591F00278CCA /* ProcessHelper.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1CD1F3C544000278CCA /* ProcessHelper.swift */; }; 21 | E43EF1D71F3C591F00278CCA /* RemoteProcessProtocol.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1CE1F3C544000278CCA /* RemoteProcessProtocol.swift */; }; 22 | E43EF1D91F3C595200278CCA /* AppAuthorizationRights.swift in Sources */ = {isa = PBXBuildFile; fileRef = E43EF1D81F3C595200278CCA /* AppAuthorizationRights.swift */; }; 23 | E43EF1DF1F4CA2A600278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper in CopyFiles */ = {isa = PBXBuildFile; fileRef = E43EF1C11F3C52BA00278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper */; settings = {ATTRIBUTES = (CodeSignOnCopy, ); }; }; 24 | E449D5862153A962005D338A /* CodesignChecker.swift in Sources */ = {isa = PBXBuildFile; fileRef = E42084B6215389BC008A9A5F /* CodesignChecker.swift */; }; 25 | /* End PBXBuildFile section */ 26 | 27 | /* Begin PBXCopyFilesBuildPhase section */ 28 | E43EF1BF1F3C52BA00278CCA /* CopyFiles */ = { 29 | isa = PBXCopyFilesBuildPhase; 30 | buildActionMask = 2147483647; 31 | dstPath = /usr/share/man/man1/; 32 | dstSubfolderSpec = 0; 33 | files = ( 34 | ); 35 | runOnlyForDeploymentPostprocessing = 1; 36 | }; 37 | E43EF1DB1F3C59F700278CCA /* CopyFiles */ = { 38 | isa = PBXCopyFilesBuildPhase; 39 | buildActionMask = 2147483647; 40 | dstPath = Contents/Library/LaunchServices; 41 | dstSubfolderSpec = 1; 42 | files = ( 43 | E43EF1DF1F4CA2A600278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper in CopyFiles */, 44 | ); 45 | runOnlyForDeploymentPostprocessing = 0; 46 | }; 47 | /* End PBXCopyFilesBuildPhase section */ 48 | 49 | /* Begin PBXFileReference section */ 50 | E42084B6215389BC008A9A5F /* CodesignChecker.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = CodesignChecker.swift; sourceTree = ""; }; 51 | E43EF1AB1F3C527700278CCA /* PrivilegedTaskRunner.app */ = {isa = PBXFileReference; explicitFileType = wrapper.application; includeInIndex = 0; path = PrivilegedTaskRunner.app; sourceTree = BUILT_PRODUCTS_DIR; }; 52 | E43EF1AE1F3C527700278CCA /* AppDelegate.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = AppDelegate.swift; sourceTree = ""; }; 53 | E43EF1B21F3C527700278CCA /* Assets.xcassets */ = {isa = PBXFileReference; lastKnownFileType = folder.assetcatalog; path = Assets.xcassets; sourceTree = ""; }; 54 | E43EF1B71F3C527700278CCA /* Info.plist */ = {isa = PBXFileReference; lastKnownFileType = text.plist.xml; path = Info.plist; sourceTree = ""; }; 55 | E43EF1C11F3C52BA00278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper */ = {isa = PBXFileReference; explicitFileType = "compiled.mach-o.executable"; includeInIndex = 0; path = com.suolapeikko.examples.PrivilegedTaskRunnerHelper; sourceTree = BUILT_PRODUCTS_DIR; }; 56 | E43EF1C31F3C52BA00278CCA /* main.swift */ = {isa = PBXFileReference; lastKnownFileType = sourcecode.swift; path = main.swift; sourceTree = ""; }; 57 | E43EF1C81F3C53B900278CCA /* AppViewController.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppViewController.swift; sourceTree = ""; }; 58 | E43EF1CA1F3C544000278CCA /* PrivilegedTaskRunnerHelper-Info.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "PrivilegedTaskRunnerHelper-Info.plist"; sourceTree = ""; }; 59 | E43EF1CB1F3C544000278CCA /* PrivilegedTaskRunnerHelper-Launchd.plist */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = text.plist.xml; path = "PrivilegedTaskRunnerHelper-Launchd.plist"; sourceTree = ""; }; 60 | E43EF1CC1F3C544000278CCA /* PrivilegedTaskRunnerHelper.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = PrivilegedTaskRunnerHelper.swift; sourceTree = ""; }; 61 | E43EF1CD1F3C544000278CCA /* ProcessHelper.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = ProcessHelper.swift; sourceTree = ""; }; 62 | E43EF1CE1F3C544000278CCA /* RemoteProcessProtocol.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = RemoteProcessProtocol.swift; sourceTree = ""; }; 63 | E43EF1D31F3C54EC00278CCA /* Base */ = {isa = PBXFileReference; lastKnownFileType = file.xib; name = Base; path = Base.lproj/MainMenu.xib; sourceTree = ""; }; 64 | E43EF1D81F3C595200278CCA /* AppAuthorizationRights.swift */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.swift; path = AppAuthorizationRights.swift; sourceTree = ""; }; 65 | /* End PBXFileReference section */ 66 | 67 | /* Begin PBXFrameworksBuildPhase section */ 68 | E43EF1A81F3C527700278CCA /* Frameworks */ = { 69 | isa = PBXFrameworksBuildPhase; 70 | buildActionMask = 2147483647; 71 | files = ( 72 | ); 73 | runOnlyForDeploymentPostprocessing = 0; 74 | }; 75 | E43EF1BE1F3C52BA00278CCA /* Frameworks */ = { 76 | isa = PBXFrameworksBuildPhase; 77 | buildActionMask = 2147483647; 78 | files = ( 79 | ); 80 | runOnlyForDeploymentPostprocessing = 0; 81 | }; 82 | /* End PBXFrameworksBuildPhase section */ 83 | 84 | /* Begin PBXGroup section */ 85 | E43EF1A21F3C527700278CCA = { 86 | isa = PBXGroup; 87 | children = ( 88 | E43EF1AD1F3C527700278CCA /* PrivilegedTaskRunner */, 89 | E43EF1C21F3C52BA00278CCA /* PrivilegedTaskRunnerHelper */, 90 | E43EF1AC1F3C527700278CCA /* Products */, 91 | ); 92 | sourceTree = ""; 93 | }; 94 | E43EF1AC1F3C527700278CCA /* Products */ = { 95 | isa = PBXGroup; 96 | children = ( 97 | E43EF1AB1F3C527700278CCA /* PrivilegedTaskRunner.app */, 98 | E43EF1C11F3C52BA00278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper */, 99 | ); 100 | name = Products; 101 | sourceTree = ""; 102 | }; 103 | E43EF1AD1F3C527700278CCA /* PrivilegedTaskRunner */ = { 104 | isa = PBXGroup; 105 | children = ( 106 | E43EF1AE1F3C527700278CCA /* AppDelegate.swift */, 107 | E43EF1D81F3C595200278CCA /* AppAuthorizationRights.swift */, 108 | E43EF1C81F3C53B900278CCA /* AppViewController.swift */, 109 | E43EF1B21F3C527700278CCA /* Assets.xcassets */, 110 | E43EF1D21F3C54EC00278CCA /* MainMenu.xib */, 111 | E43EF1B71F3C527700278CCA /* Info.plist */, 112 | ); 113 | path = PrivilegedTaskRunner; 114 | sourceTree = ""; 115 | }; 116 | E43EF1C21F3C52BA00278CCA /* PrivilegedTaskRunnerHelper */ = { 117 | isa = PBXGroup; 118 | children = ( 119 | E43EF1C31F3C52BA00278CCA /* main.swift */, 120 | E43EF1CA1F3C544000278CCA /* PrivilegedTaskRunnerHelper-Info.plist */, 121 | E43EF1CB1F3C544000278CCA /* PrivilegedTaskRunnerHelper-Launchd.plist */, 122 | E43EF1CC1F3C544000278CCA /* PrivilegedTaskRunnerHelper.swift */, 123 | E43EF1CD1F3C544000278CCA /* ProcessHelper.swift */, 124 | E43EF1CE1F3C544000278CCA /* RemoteProcessProtocol.swift */, 125 | E42084B6215389BC008A9A5F /* CodesignChecker.swift */, 126 | ); 127 | path = PrivilegedTaskRunnerHelper; 128 | sourceTree = ""; 129 | }; 130 | /* End PBXGroup section */ 131 | 132 | /* Begin PBXNativeTarget section */ 133 | E43EF1AA1F3C527700278CCA /* PrivilegedTaskRunner */ = { 134 | isa = PBXNativeTarget; 135 | buildConfigurationList = E43EF1BA1F3C527700278CCA /* Build configuration list for PBXNativeTarget "PrivilegedTaskRunner" */; 136 | buildPhases = ( 137 | E43EF1A71F3C527700278CCA /* Sources */, 138 | E43EF1A81F3C527700278CCA /* Frameworks */, 139 | E43EF1A91F3C527700278CCA /* Resources */, 140 | E43EF1DB1F3C59F700278CCA /* CopyFiles */, 141 | ); 142 | buildRules = ( 143 | ); 144 | dependencies = ( 145 | ); 146 | name = PrivilegedTaskRunner; 147 | productName = PrivilegedTaskRunner; 148 | productReference = E43EF1AB1F3C527700278CCA /* PrivilegedTaskRunner.app */; 149 | productType = "com.apple.product-type.application"; 150 | }; 151 | E43EF1C01F3C52BA00278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper */ = { 152 | isa = PBXNativeTarget; 153 | buildConfigurationList = E43EF1C51F3C52BA00278CCA /* Build configuration list for PBXNativeTarget "com.suolapeikko.examples.PrivilegedTaskRunnerHelper" */; 154 | buildPhases = ( 155 | E43EF1BD1F3C52BA00278CCA /* Sources */, 156 | E43EF1BE1F3C52BA00278CCA /* Frameworks */, 157 | E43EF1BF1F3C52BA00278CCA /* CopyFiles */, 158 | ); 159 | buildRules = ( 160 | ); 161 | dependencies = ( 162 | ); 163 | name = com.suolapeikko.examples.PrivilegedTaskRunnerHelper; 164 | productName = PrivilegedTaskRunnerHelper; 165 | productReference = E43EF1C11F3C52BA00278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper */; 166 | productType = "com.apple.product-type.tool"; 167 | }; 168 | /* End PBXNativeTarget section */ 169 | 170 | /* Begin PBXProject section */ 171 | E43EF1A31F3C527700278CCA /* Project object */ = { 172 | isa = PBXProject; 173 | attributes = { 174 | LastSwiftUpdateCheck = 0830; 175 | LastUpgradeCheck = 0940; 176 | ORGANIZATIONNAME = Suolapeikko; 177 | TargetAttributes = { 178 | E43EF1AA1F3C527700278CCA = { 179 | CreatedOnToolsVersion = 8.3; 180 | DevelopmentTeam = RWR4H6QC95; 181 | LastSwiftMigration = 0900; 182 | ProvisioningStyle = Automatic; 183 | SystemCapabilities = { 184 | com.apple.iCloud = { 185 | enabled = 0; 186 | }; 187 | }; 188 | }; 189 | E43EF1C01F3C52BA00278CCA = { 190 | CreatedOnToolsVersion = 8.3; 191 | DevelopmentTeam = RWR4H6QC95; 192 | LastSwiftMigration = 0900; 193 | ProvisioningStyle = Automatic; 194 | }; 195 | }; 196 | }; 197 | buildConfigurationList = E43EF1A61F3C527700278CCA /* Build configuration list for PBXProject "PrivilegedTaskRunner" */; 198 | compatibilityVersion = "Xcode 3.2"; 199 | developmentRegion = English; 200 | hasScannedForEncodings = 0; 201 | knownRegions = ( 202 | en, 203 | Base, 204 | ); 205 | mainGroup = E43EF1A21F3C527700278CCA; 206 | productRefGroup = E43EF1AC1F3C527700278CCA /* Products */; 207 | projectDirPath = ""; 208 | projectRoot = ""; 209 | targets = ( 210 | E43EF1AA1F3C527700278CCA /* PrivilegedTaskRunner */, 211 | E43EF1C01F3C52BA00278CCA /* com.suolapeikko.examples.PrivilegedTaskRunnerHelper */, 212 | ); 213 | }; 214 | /* End PBXProject section */ 215 | 216 | /* Begin PBXResourcesBuildPhase section */ 217 | E43EF1A91F3C527700278CCA /* Resources */ = { 218 | isa = PBXResourcesBuildPhase; 219 | buildActionMask = 2147483647; 220 | files = ( 221 | E43EF1B31F3C527700278CCA /* Assets.xcassets in Resources */, 222 | E43EF1D41F3C54EC00278CCA /* MainMenu.xib in Resources */, 223 | ); 224 | runOnlyForDeploymentPostprocessing = 0; 225 | }; 226 | /* End PBXResourcesBuildPhase section */ 227 | 228 | /* Begin PBXSourcesBuildPhase section */ 229 | E43EF1A71F3C527700278CCA /* Sources */ = { 230 | isa = PBXSourcesBuildPhase; 231 | buildActionMask = 2147483647; 232 | files = ( 233 | E43EF1D51F3C591F00278CCA /* PrivilegedTaskRunnerHelper.swift in Sources */, 234 | E43EF1D61F3C591F00278CCA /* ProcessHelper.swift in Sources */, 235 | E42084B7215389BC008A9A5F /* CodesignChecker.swift in Sources */, 236 | E43EF1D91F3C595200278CCA /* AppAuthorizationRights.swift in Sources */, 237 | E43EF1D71F3C591F00278CCA /* RemoteProcessProtocol.swift in Sources */, 238 | E43EF1C91F3C53B900278CCA /* AppViewController.swift in Sources */, 239 | E43EF1AF1F3C527700278CCA /* AppDelegate.swift in Sources */, 240 | ); 241 | runOnlyForDeploymentPostprocessing = 0; 242 | }; 243 | E43EF1BD1F3C52BA00278CCA /* Sources */ = { 244 | isa = PBXSourcesBuildPhase; 245 | buildActionMask = 2147483647; 246 | files = ( 247 | E449D5862153A962005D338A /* CodesignChecker.swift in Sources */, 248 | E43EF1CF1F3C544000278CCA /* PrivilegedTaskRunnerHelper.swift in Sources */, 249 | E43EF1D01F3C544000278CCA /* ProcessHelper.swift in Sources */, 250 | E43EF1C41F3C52BA00278CCA /* main.swift in Sources */, 251 | E43EF1D11F3C544000278CCA /* RemoteProcessProtocol.swift in Sources */, 252 | ); 253 | runOnlyForDeploymentPostprocessing = 0; 254 | }; 255 | /* End PBXSourcesBuildPhase section */ 256 | 257 | /* Begin PBXVariantGroup section */ 258 | E43EF1D21F3C54EC00278CCA /* MainMenu.xib */ = { 259 | isa = PBXVariantGroup; 260 | children = ( 261 | E43EF1D31F3C54EC00278CCA /* Base */, 262 | ); 263 | name = MainMenu.xib; 264 | sourceTree = ""; 265 | }; 266 | /* End PBXVariantGroup section */ 267 | 268 | /* Begin XCBuildConfiguration section */ 269 | E43EF1B81F3C527700278CCA /* Debug */ = { 270 | isa = XCBuildConfiguration; 271 | buildSettings = { 272 | ALWAYS_SEARCH_USER_PATHS = NO; 273 | CLANG_ANALYZER_NONNULL = YES; 274 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 275 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 276 | CLANG_CXX_LIBRARY = "libc++"; 277 | CLANG_ENABLE_MODULES = YES; 278 | CLANG_ENABLE_OBJC_ARC = YES; 279 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 280 | CLANG_WARN_BOOL_CONVERSION = YES; 281 | CLANG_WARN_COMMA = YES; 282 | CLANG_WARN_CONSTANT_CONVERSION = YES; 283 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 284 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 285 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 286 | CLANG_WARN_EMPTY_BODY = YES; 287 | CLANG_WARN_ENUM_CONVERSION = YES; 288 | CLANG_WARN_INFINITE_RECURSION = YES; 289 | CLANG_WARN_INT_CONVERSION = YES; 290 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 291 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 292 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 293 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 294 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 295 | CLANG_WARN_STRICT_PROTOTYPES = YES; 296 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 297 | CLANG_WARN_UNREACHABLE_CODE = YES; 298 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 299 | CODE_SIGN_IDENTITY = "-"; 300 | COPY_PHASE_STRIP = NO; 301 | DEBUG_INFORMATION_FORMAT = dwarf; 302 | ENABLE_STRICT_OBJC_MSGSEND = YES; 303 | ENABLE_TESTABILITY = YES; 304 | GCC_C_LANGUAGE_STANDARD = gnu99; 305 | GCC_DYNAMIC_NO_PIC = NO; 306 | GCC_NO_COMMON_BLOCKS = YES; 307 | GCC_OPTIMIZATION_LEVEL = 0; 308 | GCC_PREPROCESSOR_DEFINITIONS = ( 309 | "DEBUG=1", 310 | "$(inherited)", 311 | ); 312 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 313 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 314 | GCC_WARN_UNDECLARED_SELECTOR = YES; 315 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 316 | GCC_WARN_UNUSED_FUNCTION = YES; 317 | GCC_WARN_UNUSED_VARIABLE = YES; 318 | MACOSX_DEPLOYMENT_TARGET = 10.13; 319 | MTL_ENABLE_DEBUG_INFO = YES; 320 | ONLY_ACTIVE_ARCH = YES; 321 | OTHER_LDFLAGS = ""; 322 | SDKROOT = macosx; 323 | SWIFT_ACTIVE_COMPILATION_CONDITIONS = DEBUG; 324 | SWIFT_OPTIMIZATION_LEVEL = "-Onone"; 325 | SWIFT_SWIFT3_OBJC_INFERENCE = On; 326 | }; 327 | name = Debug; 328 | }; 329 | E43EF1B91F3C527700278CCA /* Release */ = { 330 | isa = XCBuildConfiguration; 331 | buildSettings = { 332 | ALWAYS_SEARCH_USER_PATHS = NO; 333 | CLANG_ANALYZER_NONNULL = YES; 334 | CLANG_ANALYZER_NUMBER_OBJECT_CONVERSION = YES_AGGRESSIVE; 335 | CLANG_CXX_LANGUAGE_STANDARD = "gnu++0x"; 336 | CLANG_CXX_LIBRARY = "libc++"; 337 | CLANG_ENABLE_MODULES = YES; 338 | CLANG_ENABLE_OBJC_ARC = YES; 339 | CLANG_WARN_BLOCK_CAPTURE_AUTORELEASING = YES; 340 | CLANG_WARN_BOOL_CONVERSION = YES; 341 | CLANG_WARN_COMMA = YES; 342 | CLANG_WARN_CONSTANT_CONVERSION = YES; 343 | CLANG_WARN_DEPRECATED_OBJC_IMPLEMENTATIONS = YES; 344 | CLANG_WARN_DIRECT_OBJC_ISA_USAGE = YES_ERROR; 345 | CLANG_WARN_DOCUMENTATION_COMMENTS = YES; 346 | CLANG_WARN_EMPTY_BODY = YES; 347 | CLANG_WARN_ENUM_CONVERSION = YES; 348 | CLANG_WARN_INFINITE_RECURSION = YES; 349 | CLANG_WARN_INT_CONVERSION = YES; 350 | CLANG_WARN_NON_LITERAL_NULL_CONVERSION = YES; 351 | CLANG_WARN_OBJC_IMPLICIT_RETAIN_SELF = YES; 352 | CLANG_WARN_OBJC_LITERAL_CONVERSION = YES; 353 | CLANG_WARN_OBJC_ROOT_CLASS = YES_ERROR; 354 | CLANG_WARN_RANGE_LOOP_ANALYSIS = YES; 355 | CLANG_WARN_STRICT_PROTOTYPES = YES; 356 | CLANG_WARN_SUSPICIOUS_MOVE = YES; 357 | CLANG_WARN_UNREACHABLE_CODE = YES; 358 | CLANG_WARN__DUPLICATE_METHOD_MATCH = YES; 359 | CODE_SIGN_IDENTITY = "-"; 360 | COPY_PHASE_STRIP = NO; 361 | DEBUG_INFORMATION_FORMAT = "dwarf-with-dsym"; 362 | ENABLE_NS_ASSERTIONS = NO; 363 | ENABLE_STRICT_OBJC_MSGSEND = YES; 364 | GCC_C_LANGUAGE_STANDARD = gnu99; 365 | GCC_NO_COMMON_BLOCKS = YES; 366 | GCC_WARN_64_TO_32_BIT_CONVERSION = YES; 367 | GCC_WARN_ABOUT_RETURN_TYPE = YES_ERROR; 368 | GCC_WARN_UNDECLARED_SELECTOR = YES; 369 | GCC_WARN_UNINITIALIZED_AUTOS = YES_AGGRESSIVE; 370 | GCC_WARN_UNUSED_FUNCTION = YES; 371 | GCC_WARN_UNUSED_VARIABLE = YES; 372 | MACOSX_DEPLOYMENT_TARGET = 10.13; 373 | MTL_ENABLE_DEBUG_INFO = NO; 374 | OTHER_LDFLAGS = ""; 375 | SDKROOT = macosx; 376 | SWIFT_OPTIMIZATION_LEVEL = "-Owholemodule"; 377 | SWIFT_SWIFT3_OBJC_INFERENCE = On; 378 | }; 379 | name = Release; 380 | }; 381 | E43EF1BB1F3C527700278CCA /* Debug */ = { 382 | isa = XCBuildConfiguration; 383 | buildSettings = { 384 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 385 | CODE_SIGN_ENTITLEMENTS = ""; 386 | CODE_SIGN_IDENTITY = "Mac Developer"; 387 | CODE_SIGN_STYLE = Automatic; 388 | COMBINE_HIDPI_IMAGES = YES; 389 | DEVELOPMENT_TEAM = ""; 390 | INFOPLIST_FILE = PrivilegedTaskRunner/Info.plist; 391 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; 392 | MACOSX_DEPLOYMENT_TARGET = 10.13; 393 | PRODUCT_BUNDLE_IDENTIFIER = com.suolapeikko.examples.PrivilegedTaskRunner; 394 | PRODUCT_NAME = "$(TARGET_NAME)"; 395 | PROVISIONING_PROFILE_SPECIFIER = ""; 396 | SWIFT_SWIFT3_OBJC_INFERENCE = Default; 397 | SWIFT_VERSION = 4.0; 398 | }; 399 | name = Debug; 400 | }; 401 | E43EF1BC1F3C527700278CCA /* Release */ = { 402 | isa = XCBuildConfiguration; 403 | buildSettings = { 404 | ASSETCATALOG_COMPILER_APPICON_NAME = AppIcon; 405 | CODE_SIGN_ENTITLEMENTS = ""; 406 | CODE_SIGN_IDENTITY = "Mac Developer"; 407 | CODE_SIGN_STYLE = Automatic; 408 | COMBINE_HIDPI_IMAGES = YES; 409 | DEVELOPMENT_TEAM = ""; 410 | INFOPLIST_FILE = PrivilegedTaskRunner/Info.plist; 411 | LD_RUNPATH_SEARCH_PATHS = "$(inherited) @executable_path/../Frameworks"; 412 | MACOSX_DEPLOYMENT_TARGET = 10.13; 413 | PRODUCT_BUNDLE_IDENTIFIER = com.suolapeikko.examples.PrivilegedTaskRunner; 414 | PRODUCT_NAME = "$(TARGET_NAME)"; 415 | PROVISIONING_PROFILE_SPECIFIER = ""; 416 | SWIFT_SWIFT3_OBJC_INFERENCE = Default; 417 | SWIFT_VERSION = 4.0; 418 | }; 419 | name = Release; 420 | }; 421 | E43EF1C61F3C52BA00278CCA /* Debug */ = { 422 | isa = XCBuildConfiguration; 423 | buildSettings = { 424 | CODE_SIGN_IDENTITY = "Mac Developer"; 425 | CODE_SIGN_STYLE = Automatic; 426 | DEVELOPMENT_TEAM = ""; 427 | INFOPLIST_FILE = "$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Info.plist"; 428 | MACOSX_DEPLOYMENT_TARGET = 10.13; 429 | OTHER_LDFLAGS = ( 430 | "-sectcreate", 431 | __TEXT, 432 | __info_plist, 433 | "\"$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Info.plist\"", 434 | "-sectcreate", 435 | __TEXT, 436 | __launchd_plist, 437 | "\"$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Launchd.plist\"", 438 | ); 439 | PRODUCT_BUNDLE_IDENTIFIER = com.suolapeikko.examples.PrivilegedTaskRunnerHelper; 440 | PRODUCT_NAME = "$(TARGET_NAME)"; 441 | PROVISIONING_PROFILE_SPECIFIER = ""; 442 | SWIFT_SWIFT3_OBJC_INFERENCE = Default; 443 | SWIFT_VERSION = 4.0; 444 | }; 445 | name = Debug; 446 | }; 447 | E43EF1C71F3C52BA00278CCA /* Release */ = { 448 | isa = XCBuildConfiguration; 449 | buildSettings = { 450 | CODE_SIGN_IDENTITY = "Mac Developer"; 451 | CODE_SIGN_STYLE = Automatic; 452 | DEVELOPMENT_TEAM = ""; 453 | INFOPLIST_FILE = "$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Info.plist"; 454 | MACOSX_DEPLOYMENT_TARGET = 10.13; 455 | OTHER_LDFLAGS = ( 456 | "-sectcreate", 457 | __TEXT, 458 | __info_plist, 459 | "\"$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Info.plist\"", 460 | "-sectcreate", 461 | __TEXT, 462 | __launchd_plist, 463 | "\"$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Launchd.plist\"", 464 | ); 465 | PRODUCT_BUNDLE_IDENTIFIER = com.suolapeikko.examples.PrivilegedTaskRunnerHelper; 466 | PRODUCT_NAME = "$(TARGET_NAME)"; 467 | PROVISIONING_PROFILE_SPECIFIER = ""; 468 | SWIFT_SWIFT3_OBJC_INFERENCE = Default; 469 | SWIFT_VERSION = 4.0; 470 | }; 471 | name = Release; 472 | }; 473 | /* End XCBuildConfiguration section */ 474 | 475 | /* Begin XCConfigurationList section */ 476 | E43EF1A61F3C527700278CCA /* Build configuration list for PBXProject "PrivilegedTaskRunner" */ = { 477 | isa = XCConfigurationList; 478 | buildConfigurations = ( 479 | E43EF1B81F3C527700278CCA /* Debug */, 480 | E43EF1B91F3C527700278CCA /* Release */, 481 | ); 482 | defaultConfigurationIsVisible = 0; 483 | defaultConfigurationName = Release; 484 | }; 485 | E43EF1BA1F3C527700278CCA /* Build configuration list for PBXNativeTarget "PrivilegedTaskRunner" */ = { 486 | isa = XCConfigurationList; 487 | buildConfigurations = ( 488 | E43EF1BB1F3C527700278CCA /* Debug */, 489 | E43EF1BC1F3C527700278CCA /* Release */, 490 | ); 491 | defaultConfigurationIsVisible = 0; 492 | defaultConfigurationName = Release; 493 | }; 494 | E43EF1C51F3C52BA00278CCA /* Build configuration list for PBXNativeTarget "com.suolapeikko.examples.PrivilegedTaskRunnerHelper" */ = { 495 | isa = XCConfigurationList; 496 | buildConfigurations = ( 497 | E43EF1C61F3C52BA00278CCA /* Debug */, 498 | E43EF1C71F3C52BA00278CCA /* Release */, 499 | ); 500 | defaultConfigurationIsVisible = 0; 501 | defaultConfigurationName = Release; 502 | }; 503 | /* End XCConfigurationList section */ 504 | }; 505 | rootObject = E43EF1A31F3C527700278CCA /* Project object */; 506 | } 507 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/project.xcworkspace/contents.xcworkspacedata: -------------------------------------------------------------------------------- 1 | 2 | 4 | 6 | 7 | 8 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/project.xcworkspace/xcuserdata/antti.xcuserdatad/UserInterfaceState.xcuserstate: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/suolapeikko/PrivilegedTaskRunner/ebfd21163d2055bb09583c622d2b8397dce9fd37/PrivilegedTaskRunner.xcodeproj/project.xcworkspace/xcuserdata/antti.xcuserdatad/UserInterfaceState.xcuserstate -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/xcuserdata/antti.xcuserdatad/xcdebugger/Breakpoints_v2.xcbkptlist: -------------------------------------------------------------------------------- 1 | 2 | 5 | 6 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/xcuserdata/antti.xcuserdatad/xcschemes/PrivilegedTaskRunner.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 39 | 40 | 41 | 42 | 43 | 44 | 54 | 56 | 62 | 63 | 64 | 65 | 66 | 67 | 73 | 75 | 81 | 82 | 83 | 84 | 86 | 87 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/xcuserdata/antti.xcuserdatad/xcschemes/PrivilegedTaskRunnerHelper.xcscheme: -------------------------------------------------------------------------------- 1 | 2 | 5 | 8 | 9 | 15 | 21 | 22 | 23 | 24 | 25 | 30 | 31 | 32 | 33 | 39 | 40 | 41 | 42 | 43 | 44 | 54 | 56 | 62 | 63 | 64 | 65 | 66 | 67 | 73 | 75 | 81 | 82 | 83 | 84 | 86 | 87 | 90 | 91 | 92 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner.xcodeproj/xcuserdata/antti.xcuserdatad/xcschemes/xcschememanagement.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | SchemeUserState 6 | 7 | PrivilegedTaskRunner.xcscheme 8 | 9 | orderHint 10 | 0 11 | 12 | PrivilegedTaskRunnerHelper.xcscheme 13 | 14 | orderHint 15 | 1 16 | 17 | 18 | SuppressBuildableAutocreation 19 | 20 | E43EF1AA1F3C527700278CCA 21 | 22 | primary 23 | 24 | 25 | E43EF1C01F3C52BA00278CCA 26 | 27 | primary 28 | 29 | 30 | 31 | 32 | 33 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner/AppAuthorizationRights.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AppAuthorizationRights.swift 3 | // PrivilegedTaskRunner 4 | // 5 | // Created by Suolapeikko 6 | // 7 | 8 | import Foundation 9 | 10 | struct AppAuthorizationRights { 11 | 12 | // Define all authorization right definitions this application will use (only one for this app) 13 | static let shellRightName: NSString = "com.suolapeikko.examples.PrivilegedTaskRunner.runCommand" 14 | static let shellRightDefaultRule: Dictionary = shellAdminRightsRule 15 | static let shellRightDescription: CFString = "PrivilegedTaskRunner wants to run the command '/bin/ls /var/db/sudo/'" as CFString 16 | 17 | // Set up authorization rules (only one for this app) 18 | static var shellAdminRightsRule: [String:Any] = ["class" : "user", 19 | "group" : "admin", 20 | "timeout" : 0, 21 | "version" : 1] 22 | } 23 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner/AppDelegate.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AppDelegate.swift 3 | // PrivilegedTaskRunner 4 | // 5 | // Created by Suolapeikko 6 | // 7 | 8 | import Cocoa 9 | 10 | @NSApplicationMain 11 | class AppDelegate: NSObject, NSApplicationDelegate { 12 | 13 | @IBOutlet weak var window: NSWindow! 14 | @IBOutlet weak var appVC: AppViewController! 15 | 16 | func applicationDidFinishLaunching(_ aNotification: Notification) { 17 | 18 | // Create an empty authorization reference 19 | appVC.initAuthorizationRef() 20 | 21 | // Check if there's an existing PrivilegedTaskRunnerHelper already installed 22 | if(!appVC.checkIfHelperDaemonExists()) { 23 | appVC.installHelperDaemon() 24 | } 25 | else { 26 | // Update daemon to a newer version if client and daemon versions don't match 27 | self.appVC.checkHelperVersionAndUpdateIfNecessary() 28 | } 29 | } 30 | 31 | func applicationWillTerminate(_ aNotification: Notification) { 32 | 33 | // Free the existing authorization reference 34 | appVC.freeAuthorizationRef() 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner/AppViewController.swift: -------------------------------------------------------------------------------- 1 | // 2 | // AppViewController.swift 3 | // PrivilegedTaskRunner 4 | // 5 | // Created by Suolapeikko 6 | // 7 | 8 | import Foundation 9 | import Cocoa 10 | import Security 11 | import ServiceManagement 12 | 13 | class AppViewController: NSViewController { 14 | 15 | @IBOutlet weak var runButton: NSButton! 16 | @IBOutlet weak var clearButton: NSButton! 17 | @IBOutlet weak var clearDBButton: NSButton! 18 | @IBOutlet weak var stepperControl: NSStepper! 19 | @IBOutlet weak var stepperValue: NSTextField! 20 | @IBOutlet weak var requireAuthenticationCheck: NSButton! 21 | @IBOutlet weak var commandField: NSTextField! 22 | @IBOutlet weak var outputField: NSTextField! 23 | 24 | var connection: NSXPCConnection? 25 | var authRef: AuthorizationRef? 26 | 27 | /// Initialize AuthorizationRef, as we need to manage it's lifecycle 28 | func initAuthorizationRef() { 29 | 30 | // Create an empty AuthorizationRef 31 | let status = AuthorizationCreate(nil, nil, AuthorizationFlags(), &authRef) 32 | if (status != OSStatus(errAuthorizationSuccess)) { 33 | NSLog("AppviewController: AuthorizationCreate failed") 34 | return 35 | } 36 | } 37 | 38 | /// Free AuthorizationRef, as we need to manage it's lifecycle 39 | func freeAuthorizationRef() { 40 | 41 | AuthorizationFree(authRef!, AuthorizationFlags.destroyRights) 42 | } 43 | 44 | /// Send user specified command to helper procecss 45 | /// 46 | /// - parameters: 47 | /// - NSButton: sender 48 | @IBAction func clearSecurityDBButtonClicked(sender: NSButton) { 49 | 50 | stepperControl.isEnabled = true 51 | 52 | // Remove this app's specific authorization information from the security database 53 | NSLog("AppviewController: AuthorizationRightRemove") 54 | 55 | let status = AuthorizationRightRemove(authRef!, AppAuthorizationRights.shellRightName.utf8String!) 56 | 57 | if(status == errAuthorizationSuccess) { 58 | NSLog("AppviewController: AuthorizationRightRemove was successful") 59 | } 60 | else { 61 | NSLog("AppviewController: AuthorizationRightRemove failed") 62 | } 63 | 64 | clearDBButton.isEnabled = false 65 | } 66 | 67 | /// Modify timeout stepper value 68 | /// 69 | /// - parameters: 70 | /// - NSButton: sender 71 | @IBAction func bumpValueClicked(sender: NSStepper) { 72 | 73 | stepperValue.intValue = sender.intValue 74 | } 75 | 76 | /// Send user specified command to helper procecss 77 | /// 78 | /// - parameters: 79 | /// - NSButton: sender 80 | @IBAction func runButtonClicked(sender: NSButton) { 81 | 82 | // Lock stepper so that user is not able to change timeout value until security database is cleared 83 | stepperControl.isEnabled = false 84 | 85 | // Enable user to clear the security database as this method adds app privileges 86 | clearDBButton.isEnabled = true 87 | 88 | // Just to demonstrate that both end up with that command to be run as the helper runs as root 89 | if(requireAuthenticationCheck.state.rawValue == 1) { 90 | callHelperWithAuthorization() 91 | } 92 | else { 93 | callHelperWithoutAuthorization() 94 | } 95 | } 96 | 97 | /// Clear output field 98 | /// 99 | /// - parameters: 100 | /// - NSButton: sender 101 | @IBAction func clearButtonClicked(sender: NSButton) { 102 | 103 | self.outputField.stringValue = ">_" 104 | } 105 | 106 | /// Call Helper using XPC without authorization 107 | func callHelperWithoutAuthorization() { 108 | 109 | // When the connection is valid, do the actual inter process call 110 | let xpcService = prepareXPC()?.remoteObjectProxyWithErrorHandler() { error -> Void in 111 | NSLog("AppviewController: XPC error: \(error)") 112 | } as? RemoteProcessProtocol 113 | 114 | xpcService?.runCommand(path: commandField.stringValue, reply: { 115 | reply in 116 | // Let's update GUI asynchronously 117 | DispatchQueue.global(qos: .background).async { 118 | // Background Thread 119 | DispatchQueue.main.async { 120 | // Run UI Updates 121 | self.outputField.stringValue += "ls /var/db/sudo\n" + reply + "\n>_" 122 | } 123 | } 124 | }) 125 | } 126 | 127 | /// Call Helper using XPC with authorization 128 | func callHelperWithAuthorization() { 129 | 130 | var authRefExtForm = AuthorizationExternalForm() 131 | let timeout = stepperValue.intValue 132 | 133 | // Make an external form of the AuthorizationRef 134 | var status = AuthorizationMakeExternalForm(authRef!, &authRefExtForm) 135 | if (status != OSStatus(errAuthorizationSuccess)) { 136 | NSLog("AppviewController: AuthorizationMakeExternalForm failed") 137 | return 138 | } 139 | 140 | // Add all or update required authorization right definition to the authorization database 141 | var currentRight:CFDictionary? 142 | 143 | // Try to get the authorization right definition from the database 144 | status = AuthorizationRightGet(AppAuthorizationRights.shellRightName.utf8String!, ¤tRight) 145 | 146 | if (status == errAuthorizationDenied) { 147 | 148 | var defaultRules = AppAuthorizationRights.shellRightDefaultRule 149 | defaultRules.updateValue(timeout as AnyObject, forKey: "timeout") 150 | status = AuthorizationRightSet(authRef!, AppAuthorizationRights.shellRightName.utf8String!, defaultRules as CFDictionary, AppAuthorizationRights.shellRightDescription, nil, "Common" as CFString) 151 | NSLog("AppviewController: : Adding authorization right to the security database") 152 | } 153 | 154 | // We need to put the AuthorizationRef to a form that can be passed through inter process call 155 | let authData = NSData.init(bytes: &authRefExtForm, length:kAuthorizationExternalFormLength) 156 | 157 | // When the connection is valid, do the actual inter process call 158 | let xpcService = prepareXPC()?.remoteObjectProxyWithErrorHandler() { error -> Void in 159 | NSLog("AppviewController: XPC error: \(error)") 160 | } as? RemoteProcessProtocol 161 | 162 | xpcService?.runCommand(path: commandField.stringValue, authData: authData, reply: { 163 | reply in 164 | // Let's update GUI asynchronously 165 | DispatchQueue.global(qos: .background).async { 166 | // Background Thread 167 | DispatchQueue.main.async { 168 | // Run UI Updates 169 | self.outputField.stringValue += "ls /var/db/sudo\n" + reply + "\n>_" 170 | } 171 | } 172 | }) 173 | } 174 | 175 | /// Prepare XPC connection for inter process call 176 | /// 177 | /// - returns: A reference to the prepared instance variable 178 | func prepareXPC() -> NSXPCConnection? { 179 | 180 | // Check that the connection is valid before trying to do an inter process call to helper 181 | if(connection==nil) { 182 | connection = NSXPCConnection(machServiceName: HelperConstants.machServiceName, options: NSXPCConnection.Options.privileged) 183 | connection?.remoteObjectInterface = NSXPCInterface(with: RemoteProcessProtocol.self) 184 | connection?.invalidationHandler = { 185 | self.connection?.invalidationHandler = nil 186 | OperationQueue.main.addOperation() { 187 | self.connection = nil 188 | NSLog("AppviewController: XPC Connection Invalidated") 189 | } 190 | } 191 | connection?.resume() 192 | } 193 | 194 | return connection 195 | } 196 | 197 | /// Install new helper daemon 198 | func installHelperDaemon() { 199 | 200 | NSLog("AppviewController: Privileged Helper daemon was not found, installing a new one...") 201 | 202 | // Create authorization reference for the user 203 | var authRef: AuthorizationRef? 204 | var authStatus = AuthorizationCreate(nil, nil, [], &authRef) 205 | 206 | // Check if the reference is valid 207 | guard authStatus == errAuthorizationSuccess else { 208 | NSLog("AppviewController: Authorization failed: \(authStatus)") 209 | return 210 | } 211 | 212 | // Ask user for the admin privileges to install the 213 | var authItem = AuthorizationItem(name: kSMRightBlessPrivilegedHelper, valueLength: 0, value: nil, flags: 0) 214 | var authRights = AuthorizationRights(count: 1, items: &authItem) 215 | let flags: AuthorizationFlags = [[], .interactionAllowed, .extendRights, .preAuthorize] 216 | authStatus = AuthorizationCreate(&authRights, nil, flags, &authRef) 217 | 218 | // Check if the authorization went succesfully 219 | guard authStatus == errAuthorizationSuccess else { 220 | NSLog("AppviewController: Couldn't obtain admin privileges: \(authStatus)") 221 | return 222 | } 223 | 224 | // Launch the privileged helper using SMJobBless tool 225 | var error: Unmanaged? = nil 226 | 227 | if(SMJobBless(kSMDomainSystemLaunchd, HelperConstants.machServiceName as CFString, authRef, &error) == false) { 228 | let blessError = error!.takeRetainedValue() as Error 229 | NSLog("AppviewController: Bless Error: \(blessError)") 230 | } else { 231 | NSLog("AppviewController: \(HelperConstants.machServiceName) installed successfully") 232 | } 233 | 234 | // Release the Authorization Reference 235 | AuthorizationFree(authRef!, []) 236 | } 237 | 238 | /// Check if Helper daemon exists 239 | func checkIfHelperDaemonExists() -> Bool { 240 | 241 | let fileManager = FileManager.default 242 | 243 | if (!fileManager.fileExists(atPath: "/Library/PrivilegedHelperTools/com.suolapeikko.examples.PrivilegedTaskRunnerHelper")) { 244 | return false 245 | } else { 246 | return true 247 | } 248 | } 249 | 250 | /// Compare app's helper version to installed daemon's version and update if necessary 251 | func checkHelperVersionAndUpdateIfNecessary() { 252 | 253 | // Daemon path 254 | let helperURL = Bundle.main.bundleURL.appendingPathComponent("Contents/Library/LaunchServices/\(HelperConstants.machServiceName)") 255 | let helperBundleInfo = CFBundleCopyInfoDictionaryForURL(helperURL as CFURL) 256 | let helperInfo = helperBundleInfo! as NSDictionary 257 | let helperVersion = helperInfo["CFBundleVersion"] as! String 258 | 259 | NSLog("AppviewController: PrivilegedTaskRunner Bundle Version => \(helperVersion)") 260 | 261 | // When the connection is valid, do the actual inter process call 262 | let xpcService = prepareXPC()?.remoteObjectProxyWithErrorHandler() { error -> Void in 263 | NSLog("XPC error: \(error)") 264 | } as? RemoteProcessProtocol 265 | 266 | xpcService?.getVersion(reply: { 267 | installedVersion in 268 | NSLog("AppviewController: PrivilegedTaskRunner Helper Installed Version => \(installedVersion)") 269 | if(installedVersion != helperVersion) { 270 | self.installHelperDaemon() 271 | } 272 | else { 273 | NSLog("AppviewController: Bundle version matches privileged helper version, so no need to install") 274 | } 275 | }) 276 | } 277 | } 278 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner/Assets.xcassets/AppIcon.appiconset/Contents.json: -------------------------------------------------------------------------------- 1 | { 2 | "images" : [ 3 | { 4 | "idiom" : "mac", 5 | "size" : "16x16", 6 | "scale" : "1x" 7 | }, 8 | { 9 | "idiom" : "mac", 10 | "size" : "16x16", 11 | "scale" : "2x" 12 | }, 13 | { 14 | "idiom" : "mac", 15 | "size" : "32x32", 16 | "scale" : "1x" 17 | }, 18 | { 19 | "idiom" : "mac", 20 | "size" : "32x32", 21 | "scale" : "2x" 22 | }, 23 | { 24 | "idiom" : "mac", 25 | "size" : "128x128", 26 | "scale" : "1x" 27 | }, 28 | { 29 | "idiom" : "mac", 30 | "size" : "128x128", 31 | "scale" : "2x" 32 | }, 33 | { 34 | "idiom" : "mac", 35 | "size" : "256x256", 36 | "scale" : "1x" 37 | }, 38 | { 39 | "idiom" : "mac", 40 | "size" : "256x256", 41 | "scale" : "2x" 42 | }, 43 | { 44 | "idiom" : "mac", 45 | "size" : "512x512", 46 | "scale" : "1x" 47 | }, 48 | { 49 | "idiom" : "mac", 50 | "size" : "512x512", 51 | "scale" : "2x" 52 | } 53 | ], 54 | "info" : { 55 | "version" : 1, 56 | "author" : "xcode" 57 | } 58 | } -------------------------------------------------------------------------------- /PrivilegedTaskRunner/Base.lproj/MainMenu.xib: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 32 | 33 | 34 | 35 | 36 | 37 | 38 | 39 | 40 | 41 | 42 | 43 | 44 | 45 | 46 | 47 | 48 | 49 | 50 | 51 | 52 | 53 | 54 | 55 | 56 | 57 | 58 | 59 | 60 | 61 | 62 | 63 | 64 | 65 | 66 | 67 | 68 | 69 | 70 | 71 | 72 | 73 | 74 | 75 | 76 | 77 | 78 | 79 | 80 | 81 | 82 | 83 | 84 | 85 | 86 | 87 | 88 | 89 | 90 | 91 | 92 | 93 | 94 | 95 | 96 | 97 | 98 | 99 | 100 | 101 | 102 | 103 | 104 | 105 | 106 | 107 | 108 | 109 | 110 | 111 | 112 | 113 | 114 | 115 | 116 | 117 | 118 | 119 | 120 | 121 | 122 | 123 | 124 | 125 | 126 | 127 | 128 | 129 | 130 | 131 | 132 | 133 | 134 | 135 | 136 | 137 | 138 | 139 | 140 | 141 | 142 | 143 | 144 | 145 | 146 | 147 | 148 | 149 | 150 | 151 | 152 | 153 | 154 | 155 | 156 | 157 | 158 | 159 | 160 | 161 | 162 | 163 | 164 | 165 | 166 | 167 | 168 | 169 | 170 | 171 | 172 | 173 | 174 | 175 | 176 | 177 | 178 | 179 | 180 | 181 | 182 | 183 | 184 | 185 | 186 | 187 | 188 | 189 | 190 | 191 | 192 | 193 | 194 | 195 | 196 | 197 | 198 | 199 | 200 | 201 | 202 | 203 | 204 | 205 | 206 | 207 | 208 | 209 | 210 | 211 | 212 | 213 | 214 | 215 | 216 | 217 | 218 | 219 | 220 | 221 | 222 | 223 | 224 | 225 | 226 | 227 | 228 | 229 | 230 | 231 | 232 | 233 | 234 | 235 | 236 | 237 | 238 | 239 | 240 | 241 | 242 | 243 | 244 | 245 | 246 | 247 | 248 | 249 | 250 | 251 | 252 | 253 | 254 | 255 | 256 | 257 | 258 | 259 | 260 | 261 | 262 | 263 | 264 | 265 | 266 | 267 | 268 | 269 | 270 | 271 | 272 | 273 | 274 | 275 | 276 | 277 | 278 | 279 | 280 | 281 | 282 | 283 | 284 | 285 | 286 | 287 | 288 | 289 | 290 | 291 | 292 | 293 | 294 | 295 | 296 | 297 | 298 | 299 | 300 | 301 | 302 | 303 | 304 | 305 | 306 | 307 | 308 | 309 | 310 | 311 | 312 | 313 | 314 | 315 | 316 | 317 | 318 | 319 | 320 | 321 | 322 | 323 | 324 | 325 | 326 | 327 | 328 | 329 | 330 | 331 | 332 | 333 | 334 | 335 | 336 | 337 | 338 | 339 | 340 | 341 | 342 | 343 | 344 | 345 | 346 | 347 | 348 | 349 | 350 | 351 | 352 | 353 | 354 | 355 | 356 | 357 | 358 | 359 | 360 | 361 | 362 | 363 | 364 | 365 | 366 | 367 | 368 | 369 | 370 | 371 | 372 | 373 | 374 | 375 | 376 | 377 | 378 | 379 | 380 | 381 | 382 | 383 | 384 | 385 | 386 | 387 | 388 | 389 | 390 | 391 | 392 | 393 | 394 | 395 | 396 | 397 | 398 | 399 | 400 | 401 | 402 | 403 | 404 | 405 | 406 | 407 | 408 | 409 | 410 | 411 | 412 | 413 | 414 | 415 | 416 | 417 | 418 | 419 | 420 | 421 | 422 | 423 | 424 | 425 | 426 | 427 | 428 | 429 | 430 | 431 | 432 | 433 | 434 | 435 | 436 | 437 | 438 | 439 | 440 | 441 | 442 | 443 | 444 | 445 | 446 | 447 | 448 | 449 | 450 | 451 | 452 | 453 | 454 | 455 | 456 | 457 | 458 | 459 | 460 | 461 | 462 | 463 | 464 | 465 | 466 | 467 | 468 | 469 | 470 | 471 | 472 | 473 | 474 | 475 | 476 | 477 | 478 | 479 | 480 | 481 | 482 | 483 | 484 | 485 | 486 | 487 | 488 | 489 | 490 | 491 | 492 | 493 | 494 | 495 | 496 | 497 | 498 | 499 | 500 | 501 | 502 | 503 | 504 | 505 | 506 | 507 | 508 | 509 | 510 | 511 | 512 | 513 | 514 | 515 | 516 | 517 | 518 | 519 | 520 | 521 | 522 | 523 | 524 | 525 | 526 | 527 | 528 | 529 | 530 | 531 | 532 | 533 | 534 | 535 | 536 | 537 | 538 | 539 | 540 | Default 541 | 542 | 543 | 544 | 545 | 546 | 547 | Left to Right 548 | 549 | 550 | 551 | 552 | 553 | 554 | Right to Left 555 | 556 | 557 | 558 | 559 | 560 | 561 | 562 | 563 | 564 | 565 | Default 566 | 567 | 568 | 569 | 570 | 571 | 572 | Left to Right 573 | 574 | 575 | 576 | 577 | 578 | 579 | Right to Left 580 | 581 | 582 | 583 | 584 | 585 | 586 | 587 | 588 | 589 | 590 | 591 | 592 | 593 | 594 | 595 | 596 | 597 | 598 | 599 | 600 | 601 | 602 | 603 | 604 | 605 | 606 | 607 | 608 | 609 | 610 | 611 | 612 | 613 | 614 | 615 | 616 | 617 | 618 | 619 | 620 | 621 | 622 | 623 | 624 | 625 | 626 | 627 | 628 | 629 | 630 | 631 | 632 | 633 | 634 | 635 | 636 | 637 | 638 | 639 | 640 | 641 | 642 | 643 | 644 | 645 | 646 | 647 | 648 | 649 | 650 | 651 | 652 | 653 | 654 | 655 | 656 | 657 | 658 | 659 | 660 | 661 | 662 | 663 | 664 | 665 | 666 | 667 | 668 | 669 | 670 | 671 | 672 | 673 | 674 | 675 | 676 | 677 | 678 | 679 | 680 | 681 | 682 | 683 | 684 | 685 | 686 | 687 | 688 | 689 | 690 | 691 | 692 | 693 | 704 | 705 | 706 | 707 | 708 | 709 | 710 | 711 | 712 | 713 | 714 | 715 | 716 | 717 | 718 | 719 | 720 | 721 | 722 | 723 | 724 | 725 | 726 | 727 | 728 | 729 | 730 | 731 | 739 | 740 | 741 | 742 | 743 | 744 | 745 | 746 | 747 | 748 | 749 | 750 | 751 | 752 | 753 | 754 | 755 | 756 | 757 | 758 | 759 | 760 | 761 | 762 | 763 | 764 | 765 | 766 | 767 | 768 | 769 | 770 | 771 | 772 | 773 | 774 | 775 | 776 | 777 | 778 | 779 | 790 | 801 | 802 | 803 | 804 | 805 | 806 | 807 | 808 | 809 | 810 | 811 | 812 | 813 | 814 | 815 | 816 | 817 | 818 | 819 | 820 | 821 | 822 | -------------------------------------------------------------------------------- /PrivilegedTaskRunner/Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleDevelopmentRegion 6 | en 7 | CFBundleExecutable 8 | $(EXECUTABLE_NAME) 9 | CFBundleIconFile 10 | 11 | CFBundleIdentifier 12 | $(PRODUCT_BUNDLE_IDENTIFIER) 13 | CFBundleInfoDictionaryVersion 14 | 6.0 15 | CFBundleName 16 | $(PRODUCT_NAME) 17 | CFBundlePackageType 18 | APPL 19 | CFBundleShortVersionString 20 | 1.3 21 | CFBundleVersion 22 | 1 23 | LSMinimumSystemVersion 24 | $(MACOSX_DEPLOYMENT_TARGET) 25 | NSHumanReadableCopyright 26 | Copyright © 2017 Suolapeikko. All rights reserved. 27 | NSMainNibFile 28 | MainMenu 29 | NSPrincipalClass 30 | NSApplication 31 | SMPrivilegedExecutables 32 | 33 | com.suolapeikko.examples.PrivilegedTaskRunnerHelper 34 | identifier "com.suolapeikko.examples.PrivilegedTaskRunnerHelper" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: Antti Tulisalo (8TNP32P899)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ 35 | 36 | 37 | 38 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/CodesignChecker.swift: -------------------------------------------------------------------------------- 1 | // 2 | // CodesignChecker.swift 3 | // PrivilegedTaskRunner 4 | // 5 | // Created by Antti Tulisalo on 20/09/2018. 6 | // 7 | 8 | import Foundation 9 | import Security 10 | 11 | struct CodesignCheckerError : Error 12 | { 13 | enum Category 14 | { 15 | case SecCodeCopySelf 16 | case SecCodeCopyStaticCode 17 | case SecCodeCopyGuestWithAttributes 18 | case SecStaticCodeCreateWithPath 19 | case SecCodeCopySigningInformation 20 | case GenericError 21 | } 22 | 23 | let type: Category 24 | let description: String 25 | let methodName: String 26 | let fileName: String 27 | let lineNumber: Int 28 | 29 | static func handle(error: CodesignCheckerError) -> String 30 | { 31 | let readableError = """ 32 | \nERROR - operation: [\(error.type)]; 33 | reason: [\(error.description)]; 34 | in method: [\(error.methodName)]; 35 | in file: [\(error.fileName)]; 36 | at line: [\(error.lineNumber)]\n 37 | """ 38 | print(readableError) 39 | return readableError 40 | } 41 | 42 | } 43 | 44 | 45 | // https://developer.apple.com/documentation/security/code_signing_services 46 | struct CodesignChecker { 47 | 48 | let kSecCSDefaultFlags = SecCSFlags.init(rawValue: 0) 49 | 50 | let kSecCSCustomFlags = SecCSFlags.init(rawValue: kSecCSDoNotValidateResources | kSecCSCheckNestedCode) 51 | 52 | // https://developer.apple.com/documentation/security/1401695-seccodecopystaticcode 53 | private func prepareSelf() throws -> SecStaticCode? { 54 | 55 | var secCodeSelf: SecCode? 56 | var secStaticCode: SecStaticCode? 57 | 58 | var resultCode = SecCodeCopySelf(kSecCSDefaultFlags, &secCodeSelf) 59 | 60 | guard resultCode == errSecSuccess, let secCode = secCodeSelf else { 61 | 62 | throw CodesignCheckerError(type: .SecCodeCopySelf, description: String(describing: SecCopyErrorMessageString(resultCode, nil)), methodName: #function, fileName: #file, lineNumber: #line) 63 | } 64 | 65 | resultCode = SecCodeCopyStaticCode(secCode, kSecCSDefaultFlags, &secStaticCode) 66 | 67 | guard resultCode == errSecSuccess, secStaticCode != nil else { 68 | 69 | throw CodesignCheckerError(type: .SecCodeCopyStaticCode, description: String(describing: SecCopyErrorMessageString(resultCode, nil)), methodName: #function, fileName: #file, lineNumber: #line) 70 | } 71 | 72 | return secStaticCode 73 | } 74 | 75 | // https://developer.apple.com/documentation/security/1395560-seccodecopyguestwithattributes 76 | private func prepare(withPID pid: pid_t) throws -> SecStaticCode? { 77 | 78 | var secCodePID: SecCode? 79 | var secStaticCode: SecStaticCode? 80 | 81 | let kSecAttributes = [ 82 | kSecGuestAttributePid : pid 83 | ] 84 | 85 | var resultCode = SecCodeCopyGuestWithAttributes(nil, kSecAttributes as CFDictionary, kSecCSDefaultFlags, &secCodePID) 86 | 87 | guard resultCode == errSecSuccess, let secCode = secCodePID else { 88 | 89 | throw CodesignCheckerError(type: .SecCodeCopyGuestWithAttributes, description: String(describing: SecCopyErrorMessageString(resultCode, nil)), methodName: #function, fileName: #file, lineNumber: #line) 90 | } 91 | 92 | resultCode = SecCodeCopyStaticCode(secCode, kSecCSDefaultFlags, &secStaticCode) 93 | 94 | guard resultCode == errSecSuccess, secStaticCode != nil else { 95 | 96 | throw CodesignCheckerError(type: .SecCodeCopyStaticCode, description: String(describing: SecCopyErrorMessageString(resultCode, nil)), methodName: #function, fileName: #file, lineNumber: #line) 97 | } 98 | 99 | return secStaticCode 100 | } 101 | 102 | // https://developer.apple.com/documentation/security/1396899-secstaticcodecreatewithpath 103 | private func prepare(withURL url: URL) throws -> SecStaticCode? { 104 | 105 | var secStaticCode: SecStaticCode? 106 | 107 | let resultCode = SecStaticCodeCreateWithPath(url as CFURL, [], &secStaticCode) 108 | 109 | guard resultCode == errSecSuccess && secStaticCode != nil else { 110 | 111 | throw CodesignCheckerError(type: .SecStaticCodeCreateWithPath, description: String(describing: SecCopyErrorMessageString(resultCode, nil)), methodName: #function, fileName: #file, lineNumber: #line) 112 | } 113 | 114 | return secStaticCode 115 | } 116 | 117 | // Checking the validity of IDs 118 | private func isValid(secStaticCode: SecStaticCode) -> Bool { 119 | 120 | guard CFGetTypeID(secStaticCode) == SecStaticCodeGetTypeID() else { 121 | return false 122 | } 123 | 124 | let resultCode = SecStaticCodeCheckValidity(secStaticCode, kSecCSCustomFlags, nil) 125 | 126 | guard resultCode == errSecSuccess else { 127 | 128 | return false 129 | } 130 | 131 | return true 132 | } 133 | 134 | // https://developer.apple.com/documentation/security/1395809-seccodecopysigninginformation 135 | private func getCertificates(secStaticCode: SecStaticCode) throws -> [SecCertificate] { 136 | 137 | var secCodeInfoCFDict: CFDictionary? 138 | let resultCode = SecCodeCopySigningInformation(secStaticCode, SecCSFlags(rawValue: kSecCSSigningInformation), &secCodeInfoCFDict) 139 | 140 | guard resultCode == errSecSuccess, let secCodeInfo = secCodeInfoCFDict as? [String: Any] else { 141 | 142 | throw CodesignCheckerError(type: .SecCodeCopySigningInformation, description: String(describing: SecCopyErrorMessageString(resultCode, nil)), methodName: #function, fileName: #file, lineNumber: #line) 143 | } 144 | 145 | guard let secCertificates = secCodeInfo[kSecCodeInfoCertificates as String] as? [SecCertificate] else { 146 | 147 | throw CodesignCheckerError(type: .GenericError, description: "Failed to obtain certificates from the information dictionary", methodName: #function, fileName: #file, lineNumber: #line) 148 | } 149 | 150 | return secCertificates 151 | } 152 | 153 | public func getCertificatesSelf() throws -> [SecCertificate] { 154 | 155 | let secStaticCode: SecStaticCode? 156 | var certificates: [SecCertificate] = [] 157 | 158 | do { 159 | try secStaticCode = prepareSelf() 160 | 161 | if(!isValid(secStaticCode: secStaticCode!)) { 162 | throw CodesignCheckerError(type: .GenericError, description: "Validation failed", methodName: #function, fileName: #file, lineNumber: #line) 163 | } 164 | 165 | try certificates = getCertificates(secStaticCode: secStaticCode!) 166 | } 167 | catch let error { 168 | throw error 169 | } 170 | 171 | return certificates 172 | } 173 | 174 | public func getCertificates(forPID pid: pid_t) throws -> [SecCertificate] { 175 | 176 | let secStaticCode: SecStaticCode? 177 | var certificates: [SecCertificate] = [] 178 | 179 | do { 180 | try secStaticCode = prepare(withPID: pid) 181 | 182 | if(!isValid(secStaticCode: secStaticCode!)) { 183 | throw CodesignCheckerError(type: .GenericError, description: "Validation failed", methodName: #function, fileName: #file, lineNumber: #line) 184 | } 185 | 186 | try certificates = getCertificates(secStaticCode: secStaticCode!) 187 | } 188 | catch let error { 189 | throw error 190 | } 191 | 192 | return certificates 193 | } 194 | 195 | public func getCertificates(forURL url: URL) throws -> [SecCertificate] { 196 | 197 | let secStaticCode: SecStaticCode? 198 | var certificates: [SecCertificate] = [] 199 | 200 | do { 201 | try secStaticCode = prepare(withURL: url) 202 | 203 | if(!isValid(secStaticCode: secStaticCode!)) { 204 | throw CodesignCheckerError(type: .GenericError, description: "Validation failed", methodName: #function, fileName: #file, lineNumber: #line) 205 | } 206 | 207 | try certificates = getCertificates(secStaticCode: secStaticCode!) 208 | } 209 | catch let error { 210 | throw error 211 | } 212 | 213 | return certificates 214 | } 215 | } 216 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Info.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | CFBundleIdentifier 6 | com.suolapeikko.examples.PrivilegedTaskRunnerHelper 7 | CFBundleInfoDictionaryVersion 8 | 6.0 9 | CFBundleName 10 | com.suolapeikko.examples.PrivilegedTaskRunnerHelper 11 | CFBundleVersion 12 | 1.5 13 | SMAuthorizedClients 14 | 15 | identifier "com.suolapeikko.examples.PrivilegedTaskRunner" and anchor apple generic and certificate leaf[subject.CN] = "Mac Developer: Antti Tulisalo (8TNP32P899)" and certificate 1[field.1.2.840.113635.100.6.2.1] /* exists */ 16 | 17 | 18 | 19 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Launchd.plist: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | 5 | Label 6 | com.suolapeikko.examples.PrivilegedTaskRunnerHelper 7 | MachServices 8 | 9 | com.suolapeikko.examples.PrivilegedTaskRunnerHelper 10 | 11 | 12 | 13 | 14 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper.swift: -------------------------------------------------------------------------------- 1 | // 2 | // ProcessHelper.swift 3 | // ProcessRunnerExample 4 | // 5 | // Created by Suolapeikko 6 | // 7 | 8 | import Foundation 9 | import AppKit 10 | 11 | class PrivilegedTaskRunnerHelper: NSObject, RemoteProcessProtocol, NSXPCListenerDelegate { 12 | 13 | var listener:NSXPCListener 14 | 15 | override init() { 16 | self.listener = NSXPCListener(machServiceName:HelperConstants.machServiceName) 17 | super.init() 18 | self.listener.delegate = self 19 | } 20 | 21 | /// Starts the helper daemon 22 | func run() { 23 | self.listener.resume() 24 | 25 | RunLoop.current.run() 26 | } 27 | 28 | /// Check that code sign certificates match 29 | func connectionIsValid(connection: NSXPCConnection ) -> Bool { 30 | 31 | let checker = CodesignChecker() 32 | var localCertificates: [SecCertificate] = [] 33 | var remoteCertificates: [SecCertificate] = [] 34 | let pid = connection.processIdentifier 35 | 36 | do { 37 | localCertificates = try checker.getCertificatesSelf() 38 | remoteCertificates = try checker.getCertificates(forPID: pid) 39 | } 40 | catch let error as CodesignCheckerError { 41 | NSLog(CodesignCheckerError.handle(error: error)) 42 | } 43 | catch let error { 44 | NSLog("Something unexpected happened: \(error.localizedDescription)") 45 | } 46 | 47 | NSLog("Local certificates: \(localCertificates)") 48 | NSLog("Remote certificates: \(remoteCertificates)") 49 | 50 | let remoteApp = NSRunningApplication.init(processIdentifier: pid) 51 | 52 | // Compare certificates 53 | if(remoteApp != nil && (localCertificates == remoteCertificates)) { 54 | NSLog("Certificates match!") 55 | return true 56 | } 57 | 58 | return false 59 | } 60 | 61 | /// Called when the client connects to the helper daemon 62 | func listener(_ listener:NSXPCListener, shouldAcceptNewConnection connection: NSXPCConnection) -> Bool { 63 | 64 | // ---------------------------------------------------------------------------------------------------- 65 | // Only accept new connections from applications using the same codesigning certificate as the helper 66 | // ---------------------------------------------------------------------------------------------------- 67 | if (!connectionIsValid(connection: connection)) { 68 | 69 | NSLog("Codesign certificate validation failed") 70 | 71 | return false 72 | } 73 | 74 | connection.exportedInterface = NSXPCInterface(with: RemoteProcessProtocol.self) 75 | connection.exportedObject = self; 76 | connection.resume() 77 | 78 | return true 79 | } 80 | 81 | /// Functions to run from the main app 82 | func runCommand(path: String, authData: NSData?, reply: @escaping (String) -> Void) { 83 | 84 | var authRef:AuthorizationRef? 85 | 86 | // Verify the passed authData looks reasonable 87 | if authData?.length == 0 || authData?.length != kAuthorizationExternalFormLength { 88 | NSLog("PrivilegedTaskRunnerHelper: Authorization data is malformed") 89 | } 90 | 91 | // Convert NSData passed through XPC to AuthorizationExternalForm 92 | let authExt: UnsafeMutablePointer = UnsafeMutablePointer.allocate(capacity: kAuthorizationExternalFormLength * MemoryLayout.size) 93 | memcpy(authExt, authData?.bytes, (authData?.length)!) 94 | _ = AuthorizationCreateFromExternalForm(authExt, &authRef) 95 | 96 | // Extract the AuthorizationRef from it's external form 97 | var status = AuthorizationCreateFromExternalForm(authExt, &authRef) 98 | 99 | if (status == errAuthorizationSuccess) { 100 | 101 | NSLog("PrivilegedTaskRunnerHelper: AuthorizationCreateFromExternalForm was successful") 102 | 103 | // Get the authorization right definition name of the function calling this 104 | let authName = "com.suolapeikko.examples.PrivilegedTaskRunner.runCommand" 105 | 106 | // Create an AuthorizationItem using that definition's name 107 | var authItem = AuthorizationItem(name: (authName as NSString).utf8String!, valueLength: 0, value:UnsafeMutableRawPointer(bitPattern: 0), flags: 0) 108 | 109 | // Create the AuthorizationRights for using the AuthorizationItem 110 | var authRight:AuthorizationRights = AuthorizationRights(count: 1, items:&authItem) 111 | 112 | // Check if the user is authorized for the AuthorizationRights. If not it might ask the user for their or an admins credentials 113 | status = AuthorizationCopyRights(authRef!, &authRight, nil, [ .extendRights, .interactionAllowed ], nil); 114 | 115 | if (status == errAuthorizationSuccess) { 116 | 117 | NSLog("PrivilegedTaskRunnerHelper: AuthorizationCopyRights was successful") 118 | 119 | // Create cli commands that needs to be run chained / piped 120 | let needsSudoCommand = CliCommand(launchPath: "/bin/ls", arguments: ["/var/db/sudo"]) 121 | 122 | // Prepare cli command runner 123 | let command = ProcessHelper(commands: [needsSudoCommand]) 124 | 125 | // Prepare result tuple 126 | var commandResult: String? 127 | 128 | // Execute cli commands and prepare for exceptions 129 | do { 130 | commandResult = try command.execute() 131 | } 132 | catch { 133 | 134 | NSLog("PrivilegedTaskRunnerHelper: Failed to run command") 135 | } 136 | 137 | reply(commandResult!) 138 | } 139 | } 140 | else { 141 | NSLog("PrivilegedTaskRunnerHelper: Authorization failed") 142 | } 143 | } 144 | 145 | /// Functions to run from the main app 146 | func runCommand(path: String, reply: @escaping (String) -> Void) { 147 | 148 | // Create cli commands that needs to be run chained / piped 149 | let needsSudoCommand = CliCommand(launchPath: "/bin/ls", arguments: ["/var/db/sudo"]) 150 | 151 | // Prepare cli command runner 152 | let command = ProcessHelper(commands: [needsSudoCommand]) 153 | 154 | // Prepare result tuple 155 | var commandResult: String? 156 | 157 | // Execute cli commands and prepare for exceptions 158 | do { 159 | commandResult = try command.execute() 160 | } 161 | catch { 162 | NSLog("PrivilegedTaskRunnerHelper: Failed to run command") 163 | } 164 | 165 | reply(commandResult!) 166 | } 167 | 168 | /// Return daemon's bundle version 169 | /// Because communication over XPC is asynchronous, all methods in the protocol must have a return type of void 170 | func getVersion(reply: (String) -> Void) { 171 | reply(Bundle.main.object(forInfoDictionaryKey: "CFBundleVersion") as! String) 172 | } 173 | } 174 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/ProcessHelper.swift: -------------------------------------------------------------------------------- 1 | // 2 | // CliCommandRunner 3 | // 4 | // Created by Suolapeikko 5 | // 6 | 7 | import Foundation 8 | 9 | /* 10 | Defines the command line command and it´s arguments 11 | */ 12 | struct CliCommand { 13 | let launchPath: String 14 | let arguments: [String] 15 | } 16 | 17 | /* 18 | Defines possible throwable errors 19 | */ 20 | enum CliError: Error { 21 | case no_TASKS 22 | case execute_FAILED(statusCode: Int, resultText: String) 23 | } 24 | 25 | class ProcessHelper { 26 | 27 | var tasks: [Process] = [] 28 | 29 | // Initializes the class with necessary command(s) and their arguments 30 | init(commands: [CliCommand]) { 31 | 32 | for command in commands { 33 | let task = Process() 34 | task.launchPath = command.launchPath 35 | task.arguments = command.arguments 36 | task.standardOutput = Pipe() 37 | tasks+=[task] 38 | } 39 | } 40 | 41 | // Execute supplied command(s) 42 | func execute() throws -> String { 43 | 44 | var statusCode = 0 45 | var resultText = "" 46 | let taskCount = tasks.count 47 | 48 | guard taskCount > 0 else {throw CliError.no_TASKS} 49 | 50 | // Either execute one command or chain several together 51 | if(tasks.count==1) { 52 | let task = tasks[0] 53 | task.launch() 54 | let data = (task.standardOutput! as AnyObject).fileHandleForReading.readDataToEndOfFile() 55 | task.waitUntilExit() 56 | let output: String = NSString(data: data, encoding: String.Encoding.utf8.rawValue)! as String 57 | statusCode = Int(task.terminationStatus) 58 | resultText = output.trimmingCharacters(in: CharacterSet.whitespacesAndNewlines) 59 | } 60 | else { 61 | for index in 1...taskCount { 62 | 63 | let task = tasks[index-1] 64 | 65 | if(index Pipe { 87 | let task = tasks[0] 88 | task.launch() 89 | task.waitUntilExit() 90 | 91 | return task.standardOutput as! Pipe 92 | } 93 | 94 | // Return this task's output stream pipe to enable command chaining functionality 95 | func getOutputPipe() -> Pipe { 96 | 97 | let task = tasks[0] 98 | 99 | return task.standardOutput as! Pipe 100 | } 101 | 102 | // Set this task's iput stream pipe to enable command chaining functionality 103 | func setInputPipe(_ inputPipe: Pipe) -> ProcessHelper { 104 | 105 | let task = tasks[0] 106 | 107 | task.standardInput = inputPipe 108 | 109 | return self 110 | } 111 | } 112 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/RemoteProcessProtocol.swift: -------------------------------------------------------------------------------- 1 | // 2 | // RemoteProcessProtocol.swift 3 | // ProcessRunnerExample 4 | // 5 | // Created by Suolapeikko 6 | // 7 | 8 | import Foundation 9 | 10 | struct HelperConstants { 11 | static let machServiceName = "com.suolapeikko.examples.PrivilegedTaskRunnerHelper" 12 | } 13 | 14 | /// Protocol with inter process method invocation methods that ProcessHelper supports 15 | /// Because communication over XPC is asynchronous, all methods in the protocol must have a return type of void 16 | @objc(RemoteProcessProtocol) 17 | protocol RemoteProcessProtocol { 18 | func getVersion(reply: @escaping (String) -> Void) 19 | func runCommand(path: String, authData: NSData?, reply: @escaping (String) -> Void) 20 | func runCommand(path: String, reply: @escaping (String) -> Void) 21 | } 22 | -------------------------------------------------------------------------------- /PrivilegedTaskRunnerHelper/main.swift: -------------------------------------------------------------------------------- 1 | // 2 | // main.swift 3 | // PrivilegedTaskRunnerHelper 4 | // 5 | // Created by Suolapeikko 6 | // 7 | 8 | import Foundation 9 | 10 | NSLog("Starting PrivilegedTaskRunner....") 11 | let helper = PrivilegedTaskRunnerHelper() 12 | helper.run() 13 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Privileged Helper Example with Swift 4 2 | 3 | My take on privileged helper, thanks to [Erik's privileged helper tool example](https://github.com/erikberglund/SwiftPrivilegedHelper) 4 | 5 | Update: Erik's new privileged helper example is quite perfect, so I won't probably update this anymore. 6 | 7 | ## Project and Target 8 | * Create a project (for example, a normal Cocoa project, like PrivilegedTaskRunner in this example) 9 | * Create a new command line target (PrivilegedTaskRunnerHelper) 10 | 11 | ## Target Settings 12 | * PrivilegedTaskRunner -> Copy helper (Build Phases) 13 | * PrivilegedTaskRunner -> Compile sources (Build Phases) 14 | 15 | ## Make sure that target name for helper tool is with full namespace (for example: com.suolapeikko.examples.PrivilegedRunnerHelper) 16 | 17 | ## Helper Linker Settings 18 | * Helper -> Build Settings -> Linking -> Other Linker Flags 19 | 20 | ``` 21 | -sectcreate 22 | __TEXT 23 | __info_plist 24 | "$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Info.plist" 25 | -sectcreate 26 | __TEXT 27 | __launchd_plist 28 | "$(SRCROOT)/PrivilegedTaskRunnerHelper/PrivilegedTaskRunnerHelper-Launchd.plist" 29 | ``` 30 | 31 | ## Plist Files 32 | 33 | * See PrivilegedTaskRunnerHelper-Info.plist and PrivilegedTaskRunnerHelper-Launchd.plist 34 | * Anchor line with Certificate info needs to be created by Apple's tool called SMJobBlessUtil.py 35 | 36 | SMJobBless creates lines to Info.plist and Helper-Info.plist: 37 | 38 | `./SMJobBlessUtil.py setreq PrivilegedTaskRunner.app PrivilegedTaskRunner/Info.plist PrivilegedTaskRunner/PrivilegedTaskRunnerHelper-Info.plist` 39 | 40 | SMJobBless contains requirements checker: 41 | 42 | `./SMJobBlessUtil.py check PrivilegedTaskRunner.app` 43 | --------------------------------------------------------------------------------