taskgated

task_for_pid access control daemon

taskgated [-s] [-t timeout] [-i pid]

daemon that implements a policy for the task_for_pid system service.
When the kernel is asked for the task port of a process, and preliminary access control checks pass, it invokes this daemon (via launchd) to make the decision.

/System/Library/LaunchDaemons/com.apple.taskgated.plist

    <key>ProgramArguments</key> <array> <string>/usr/libexec/taskgated</string> <string>-s</string> </array>
    <key>Label</key> <string>com.apple.taskgated</string>
    <key>MachServices</key> <dict> <key>com.apple.taskgated</key> <dict> <key>TaskSpecialPort</key> <integer>9</integer> </dict> </dict>
    <key>POSIXSpawnType</key> <string>Interactive</string>
    <key>EnableTransactions</key> <true/>

    <key>Label</key> <string>com.apple.taskgated-helper</string>
    <key>ProgramArguments</key> <array> <string>/usr/libexec/taskgated-helper</string> </array>
    <key>POSIXSpawnType</key> <string>Interactive</string>
    <key>MachServices</key> <dict> <key>com.apple.taskgated.helper</key> <true/> </dict> 

-s signed applications marked as "safe" have free access to task ports, without having to pass an authorization check.
Callers must be marked both "allowed" and "safe".
-t timeout quits after seconds of inactivity. Zero: quit after servicing each request, a small positive timeout is better for performance.
-i pid Inject the service port of taskgated into the process with the given pid, rather than relying on launchd to install it system-wide. This is for testing only, and requires the launchd configuration for taskgated to be removed.

AUTHORIZATION RIGHTS

system.privilege.taskport Authorization right used to check access of allowed (but not safe) callers.

INFO KEYS

SecTaskAccess

FILES

/etc/authorization to configure the authorization used. Not present as of 9/6/18
/System/Library/LaunchDaemons/com.apple.taskgated startup configuration file Not present as of 9/6/18

See

security(1), launchd