fruity: Fix lockdown over CoreDevice regression

Introduced by the recent change in d1df792, where our RSDCheckin includes an EscrowBag in order to support networked lockdown with services such as “com.apple.crashreportmover”. Turns out this broke support for quite a few other services, as the presence of an EscrowBag requires that the particular service is able to talk to AppleKeyStoreUserClient. Not yet sure how to handle this. For now we'll maintain a list of services that lack such privileges, so we can omit the EscrowBag for those. Kudos to @as0ler for reporting and helping troubleshoot.
frida · Jan 27, 2025 · 9c13120 · 9c13120
1 parent e70812a
commit 9c13120
Showing 1 changed file with 22 additions and 1 deletion.
diff --git a/src/fruity/device-monitor.vala b/src/fruity/device-monitor.vala
@@ -188,6 +188,18 @@ namespace Frida.Fruity {
 			new Gee.ArrayQueue<UsbmuxLockdownServiceRequest> ();
 		private LockdownClient? cached_usbmux_lockdown_client;
 
+		private const string[] LOCKDOWN_SERVICES_WITHOUT_ESCROW_BAG_SUPPORT = {
+			"com.apple.accessibility.axAuditDaemon.remoteserver",
+			"com.apple.afc",
+			"com.apple.companion_proxy",
+			"com.apple.crashreportcopymobile",
+			"com.apple.GPUTools.MobileService",
+			"com.apple.idamd",
+			"com.apple.PurpleReverseProxy.Conn",
+			"com.apple.streaming_zip_conduit",
+			"com.apple.webinspector",
+		};
+
 		internal void close () {
 			transports.clear ();
 		}
@@ -248,7 +260,7 @@ namespace Frida.Fruity {
 					checkin.set_string ("Label", "Xcode");
 					checkin.set_string ("ProtocolVersion", "2");
 					unowned Bytes? key = tunnel.remote_unlock_host_key;
-					if (key != null)
+					if (key != null && lockdown_service_supports_escrow_bag (service_name))
 						checkin.set_bytes ("EscrowBag", key);
 
 					try {
@@ -286,6 +298,15 @@ namespace Frida.Fruity {
 			return yield request.promise.future.wait_async (cancellable);
 		}
 
+		// FIXME: Replace with `element in array`-check once Vala compiler bug has been fixed so generated C code is warning-free.
+		private static bool lockdown_service_supports_escrow_bag (string name) {
+			foreach (unowned string s in LOCKDOWN_SERVICES_WITHOUT_ESCROW_BAG_SUPPORT) {
+				if (s == name)
+					return false;
+			}
+			return true;
+		}
+
 		private async void process_usbmux_lockdown_service_requests () {
 			UsbmuxLockdownServiceRequest? req;
 			bool already_invalidated = false;