# CSOps - A program that invokes the csops system call on MAC OS X ## Modified This version of CSOps was modified from the original version forked from axelexic to fix a few breaking changes and to remove some functionality that I didn't need. ## Description csops system call, is an Apple Private system call that is used by many system deamons (mainly /usr/libexec/taskgated) to verify code signature. The 'codesign' command line utility, creates a hash of executable -- one hash per memory page -- and stores them in a code directory. 'codesign' then computes the hash of the code directory and signs this hash. While signing code, one can specify if the signature should be embedded inside the executable itself, or if it should be kept in a seperate external file or in a seperate database (/var/db/DetachedSignature, which is sqlite3 database with two tables-- code and global). When execv/__mac_execve system call runs, it checks to see if the executable is code signed. If it is not, then it uses the TASK_ACCESS_PORT (mach port 14) in the kernel, to communicate with 'taskgated' in userspace to see if the process has a detached signature. 'taskgated', consults the executable as well as the DetachedSignature database to verify if the code was signed. (Note that this whole process results in multiple context switches, and is highly inefficient. If you want to avoid this inefficiency, you are well advised to sign your code.) While signing code, one can specify what action the kernel should take if the signature is invalid. For invalid code, the options are to mark as 'kill' (which will send a SIGKILL to the process) or mark it as 'hard', which doesn't seem to be doing anything. These flags are checked at the time kernel executes execve (__mac_execve) system call. At runtime, one can use the csops system call to query and mark an already running code as invalid and kill it. This utility is a command line tool to do these things. Note that giving a PID value of 0 (zero), results in invoking these operations on the CSOps utility itself. To manipulate the state of any other process, you must have root privileges. Usage: ./CSOps PID