pwnee

## iOS_16_Launch_Constraints.txt
iOS 16 introduced launch constraints, which can be used to constraint the launch of an application.
There are three types of constraints:
    Self Constraints, which the launched application itself must meet
    Parent Constraints, which the parent process must meet
    Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service)

Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints.
Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements).

Constraint Categories (from TrustCache, new in version 2):

## diff-xnu-8020.140.20.0.4.md

      
              1 file
            
          
              0 forks
            
          
              0 comments
            
          
              0 stars
            
          
                pwnee
                / diff-xnu-8020.140.20.0.4.md
            
            
              Created
              May 20, 2022 09:03
                — forked from Proteas/diff-xnu-8020.140.20.0.4.md
            
              
                diff xnu-8020.140.20.0.4~14
              
          
    kernel


xnu-8020.140.20.0.4~14

My Conclusion


kernel heap hardening: tag, type hash

kmem_alloc_guard
kmem_apply_security_policy


codesign, protecting the members with DA Key

csfg_get_*


## library_injector.cpp
// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector,
// then codesign with com.apple.developer.endpoint-security.client and run the
// program as root.

#include <EndpointSecurity/EndpointSecurity.h>
#include <algorithm>
#include <bsm/libbsm.h>
#include <cstdint>
#include <cstdlib>
#include <cstring>
	iOS 16 introduced launch constraints, which can be used to constraint the launch of an application.
	There are three types of constraints:
	Self Constraints, which the launched application itself must meet
	Parent Constraints, which the parent process must meet
	Responsible Constraints, which the "responsible process" must meet (I assume that the responsible process is the process that asked launchd to launch a service)

	Additionally, the TrustCache format was updated (see below) to support assigning each binary a "Constraint Category", which forces Self and Parent Constraints.
	Note that Self, Parent and Responsible Constraints can also be set by the process performing the launch and they can be included in the code signature, in the new blob type 0xFADE8181. In both cases, the constraints are DER encoded (just like the DER entitlements).

	Constraint Categories (from TrustCache, new in version 2):
	// To compile: clang++ -arch x86_64 -arch arm64 -std=c++20 library_injector.cpp -lbsm -lEndpointSecurity -o library_injector,
	// then codesign with com.apple.developer.endpoint-security.client and run the
	// program as root.

	#include <EndpointSecurity/EndpointSecurity.h>
	#include <algorithm>
	#include <bsm/libbsm.h>
	#include <cstdint>
	#include <cstdlib>
	#include <cstring>