Closed jakaplan closed 2 years ago
@amomchilov optionally available for your review. Will leave this open for at least a couple days.
The motivation behind this was discovering that despite login items running from the app bundle they're contained within, any non-sandboxed app on the system can communicate with them. (This is true even when the login item is itself sandboxed - the sandbox is clearly unidirectional and provides no incoming protection.) This potentially allows for certain types of privilege escalation, from the Apple Developer forums:
[W]hen you look at it from the per-process privilege model now supported on the Mac, this may well represent a privilege escalation. For example, the user might have granted your app a TCC privilege (in System Preferences > Security & Privacy > Privacy) and you don’t want to hand that out to anyone.
I continue to be rather surprised and unimpressed by XPC's default security.
From a API user perspective this is basically the equivalent of
forThisBlessedHelperTool()
forSMJobBless
. Under the hood, the implementation is considerably different. I've tested this manually, but don't have any great ideas on how to go about doing this in automated fashion (without adopting/implementing an entire integration testing setup).