From owner-trustedbsd-audit@freebsd.org Sun Aug 11 14:10:56 2019 Return-Path: Delivered-To: trustedbsd-audit@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3488BB9D41 for ; Sun, 11 Aug 2019 14:10:56 +0000 (UTC) (envelope-from asv@inhio.net) Received: from cz-prg-mx-01.inhio.net (mail.inhio.net [178.238.36.226]) by mx1.freebsd.org (Postfix) with ESMTP id 46619B6yV8z400S for ; Sun, 11 Aug 2019 14:10:54 +0000 (UTC) (envelope-from asv@inhio.net) Received: from titanio (titanio.inhio.net [10.0.0.21]) by cz-prg-mx-01.inhio.net (Postfix) with ESMTPSA id 6C7FD5CDF2; Sun, 11 Aug 2019 16:10:47 +0200 (CEST) Message-ID: <0e9ca039cfc2d4cc860b08c40e2bfdbdf660e30e.camel@inhio.net> Subject: Re: Audit Pipe Drops From: ASV To: b , trustedbsd-audit@freebsd.org Date: Sun, 11 Aug 2019 16:10:41 +0200 In-Reply-To: <10BE768D-32B6-4457-9A77-8144B941F566@intraversal.de> References: <5247B21D-FB16-4949-85E5-9D0D8B37908C@intraversal.de> <10BE768D-32B6-4457-9A77-8144B941F566@intraversal.de> Content-Type: multipart/signed; micalg="pgp-sha512"; protocol="application/pgp-signature"; boundary="=-L6EtKb6WNAsA40MJZlGo" X-Mailer: Evolution 3.28.5 FreeBSD GNOME Team Mime-Version: 1.0 X-Rspamd-Queue-Id: 46619B6yV8z400S X-Spamd-Bar: ------- Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=pass (mx1.freebsd.org: domain of asv@inhio.net designates 178.238.36.226 as permitted sender) smtp.mailfrom=asv@inhio.net X-Spamd-Result: default: False [-7.14 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[inhio.net]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; TO_MATCH_ENVRCPT_SOME(0.00)[]; NEURAL_HAM_SHORT(-0.98)[-0.984,0]; RCPT_COUNT_TWO(0.00)[2]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; ASN(0.00)[asn:24971, ipnet:178.238.32.0/20, country:CZ]; MID_RHS_MATCH_FROM(0.00)[]; IP_SCORE(-2.35)[ip: (-9.86), ipnet: 178.238.32.0/20(-4.93), asn: 24971(2.95), country: CZ(0.08)]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: trustedbsd-audit@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Aug 2019 14:10:56 -0000 --=-L6EtKb6WNAsA40MJZlGo Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Hi, I personally don't know the answer to your question; I've never tried to do that. But I'd like to inform you that since 2016 only 2 emails got a reply on this list. Just for you to know better what to expect here. Good luck. On Mon, 2019-06-24 at 10:09 +0200, b wrote: > Hello again, >=20 > Could someone please comment on the following? >=20 >=20 > > The FreeBSD Handbook has the notion that =E2=80=9Eaudit event classes m= ay > > be customized by modifying the audit_class and audit_event > > configuration files=E2=80=9C. I assume this could also mean adding cust= om > > audit classes and associating them with the event types of > > interest. How can this be done programmatically for local audit > > trails? Are there any code examples available? >=20 >=20 > I am aware that this list is very low traffic. Unfortunately I have > been unsuccessful in finding another place to discuss bsm. If there > are other places, please let me know. >=20 >=20 > Thank you, > Benjamin >=20 >=20 >=20 >=20 > > Am 06.06.2019 um 13:37 schrieb b via Darwin-dev < > > darwin-dev@lists.apple.com>: > >=20 > > Hello everyone, > >=20 > > I am crossposting this message to the darwin dev list and the > > trustedbsd-audit list since relevant knowledge might be shared > > among members of both lists and I was not really sure how to > > properly present the issue to both lists separately. Also, my post > > is quite long as it bundles the outcome of several days of > > debugging. Please excuse. > >=20 > > I am currently reading a cloned bsm audit pipe from a user space > > client on macOS to retrieve information about process creation and > > operations on the system (pc|ex). In the future I want to add other > > audit classes as well. I am currently looking at bsmtrace as a > > reference implementation of the read loop. > >=20 > > There is one major issue, though, that took me a while to become > > aware of. The audit pipe is allowed to drop audit records in the > > kernel, which eventually is technically inevitable of course. The > > issue I am facing is finding a reliable solution to avoid this. > >=20 > > Drops can occur only in audit_pipe_append (audit_pipe.c) under two > > conditions, (1) the queue is full or (2) the kernel was not able to > > allocate memory without blocking. > >=20 > > (1) can generally be managed in user space client code. There is > > only one scenario I found (up to now) where even the maximum audit > > pipe length is insufficient and that is system wake up procedure. > > Even before the system emits kIOMessageSystemWillPowerOn there are > > lots and lots of audit events that eventually max out the audit > > pipe. > >=20 > > (2) can=E2=80=99t be influenced from a user space client, at least not = that > > I am aware of. This happens sporadically but reproducibly when the > > system is under a lot of stress, e.g. when a lot of processes are > > spawned at a time and start executing some audited code. > >=20 > > All this leads to several questions of which I am not sure if they > > qualify as potential bug reports or enhancement requests. I would > > be more than happy if someone with a better understanding of things > > could comment on them or even suggest possible solution approaches. > >=20 > > - (1) could clearly be solved by increasing the allowed maximum > > audit pipe length which currently is 1024. This maximum value is > > probably several years old by now and I could imagine that in the > > meantime the xnu kernel has become a lot more =E2=80=9Etalkative=E2=80= =9C. Is there > > some technical limitation that would prevent an increase? > >=20 > > - I am wondering how the global audit trail that is written to disk > > is able to perform better, i.e. does not drop (seemingly), than the > > cloned audit pipe purely in memory? Is there some penalty > > associated with passing memory from the kernel to user space? How > > does the global audit trail not struggle with the M_NOWAIT policy? > >=20 > > - Since the audit pipe tries to acquire memory by calling malloc > > with the M_NOWAIT flag, which I assume happens for a reason, is > > there some strategy or configuration available from user space to > > ease the restraint on kernel memory allocation =E2=80=93 or am I simply= out > > of luck here? > >=20 > > - I am surely not an expert on memory allocation and even less so > > in kernel space. With that said, I imagine that allocating only one > > block of memory for both, pointer (ape) and memory blob (ape- > > >ape_record), instead of two separate memory allocations would half > > the potential for M_NOWAIT failure. > >=20 > > - Potential for both (1) and (2) could at least be reduced by > > further filtering events in the kernel. I am not interested in each > > and every audit event type. The FreeBSD Handbook has the notion > > that =E2=80=9Eaudit event classes may be customized by modifying the > > audit_class and audit_event configuration files=E2=80=9C. I assume this > > could also mean adding custom audit classes and associating them > > with the event types of interest. How can this be done > > programmatically for local audit trails? Are there any code > > examples available? > >=20 > > I hope this does not come across (too) snarky but my expectation > > towards a security mechanism is first and foremost reliability. > > Information loss is definitely not supportive in that. Therefore I > > either hope for a viable existing solution for my problem or am > > very eager for a fix to the issues at hand. > >=20 > > Thanks, > > Benjamin > > _______________________________________________ > > Do not post admin requests to the list. They will be ignored. > > Darwin-dev mailing list (Darwin-dev@lists.apple.com) > > Help/Unsubscribe/Update your Subscription: > >=20 https://lists.apple.com/mailman/options/darwin-dev/b-spam%40intraversal.de > >=20 > > This email sent to b-spam@intraversal.de >=20 > _______________________________________________ > trustedbsd-audit@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/trustedbsd-audit > To unsubscribe, send any mail to " > trustedbsd-audit-unsubscribe@freebsd.org" --=-L6EtKb6WNAsA40MJZlGo Content-Type: application/pgp-signature; name="signature.asc" Content-Description: This is a digitally signed message part Content-Transfer-Encoding: 7bit -----BEGIN PGP SIGNATURE----- iQEzBAABCgAdFiEE5dE8BwbhhcQw2TsezaQsUNd+zIkFAl1QIeIACgkQzaQsUNd+ zIlLkggApXRuiMUODgMOoK/Fkl0iT9CAXjQcQPNK/eY8+RD4Vo0hAu+GhoDuOgLU PqY0imRe17YwtiBJNgKqsZSzhHMXE9mQ9OU1Lbxjiyy29/0Kwh4kmzngMdn6HgZE dJ1CLqG6mvpwL0CnBIh7J7ISl1YznjuivmVfcTRndk4SRKxjl9l1yelDVTwzuo/r w0bIMbmU/7m21hPbo2IYEOhpZW77rkFoXqd406S8rp9/raziF8QqftC0ESXk2tkm WTSJ+dzq6ourcL7VhrlFqjA1GO6PsjEJ15rLtyY0XdG3NEC9vGMBOYVpg8IhemMp jd+IYXtmXy8euWkAb3ifzzgBc9zsdQ== =Yhbi -----END PGP SIGNATURE----- --=-L6EtKb6WNAsA40MJZlGo-- From owner-trustedbsd-audit@freebsd.org Mon Aug 12 22:51:03 2019 Return-Path: Delivered-To: trustedbsd-audit@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 60F91C3BA5 for ; Mon, 12 Aug 2019 22:51:03 +0000 (UTC) (envelope-from dano@well.com) Received: from xmx.well.com (xmx.well.com [52.0.124.244]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "", Issuer "The WELL Group" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 466rft48Cdz46hX for ; Mon, 12 Aug 2019 22:51:02 +0000 (UTC) (envelope-from dano@well.com) X-Date: Mon, 12 Aug 2019 15:51:01 -0700 Received: from zimbra.well.com (zimbra.well.com [172.30.1.200]) by xmx.well.com (8.14.4/8.14.3) with ESMTP id x7CMp1LT027367 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 12 Aug 2019 15:51:01 -0700 Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.well.com (Postfix) with ESMTP id 2490C100B9889 for ; Mon, 12 Aug 2019 15:51:01 -0700 (PDT) Received: from zimbra.well.com ([127.0.0.1]) by localhost (zimbra.well.com [127.0.0.1]) (amavisd-new, port 10032) with ESMTP id GHPdyy0fDPa2 for ; Mon, 12 Aug 2019 15:50:59 -0700 (PDT) Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.well.com (Postfix) with ESMTP id 8B945100B9825 for ; Mon, 12 Aug 2019 15:50:59 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.9.2 zimbra.well.com 8B945100B9825 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=well.com; s=6EE067AA-1511-11E5-BE77-89F1327358AA; t=1565650259; bh=V1THyjCzovFs5WgpYwoxiv6Z5m4RjRCUJBLLMr7DsGU=; h=From:Content-Type:Mime-Version:Subject:Date:To:Message-Id; b=grO2C4Y9KinLaKDOUxNjDkaf/qc3xbvFRD2vb0uvJDzxEucryuXXlgIcGT7KlK+j4 tD4bZgl2qGHJDS7PfmlHfimkSxleWi9zXQGucFl/v49hU664gilKApLc/q50N6XCER jBbJhXgUI91TTkDXsDssGLGJECvnz13No7U5vqZ8= X-Virus-Scanned: amavisd-new at well.com Received: from zimbra.well.com ([127.0.0.1]) by localhost (zimbra.well.com [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id tAJIMxZODKBp for ; Mon, 12 Aug 2019 15:50:59 -0700 (PDT) Received: from [192.168.1.7] (unknown [47.151.150.37]) by zimbra.well.com (Postfix) with ESMTPSA id 2C1B9100B9887 for ; Mon, 12 Aug 2019 15:50:59 -0700 (PDT) From: "Dan O'Donnell" Content-Type: multipart/signed; boundary="Apple-Mail=_89CE0695-66E1-4F12-A667-81CFA56B1E76"; protocol="application/pgp-signature"; micalg=pgp-sha512 Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.1\)) Subject: Re: Audit Pipe Drops Date: Mon, 12 Aug 2019 15:50:57 -0700 References: <5247B21D-FB16-4949-85E5-9D0D8B37908C@intraversal.de> <10BE768D-32B6-4457-9A77-8144B941F566@intraversal.de> <0e9ca039cfc2d4cc860b08c40e2bfdbdf660e30e.camel@inhio.net> To: trustedbsd-audit@freebsd.org In-Reply-To: <0e9ca039cfc2d4cc860b08c40e2bfdbdf660e30e.camel@inhio.net> Message-Id: <24140A96-3C1C-4168-9AEE-B9787C9FC7A6@well.com> X-Mailer: Apple Mail (2.3445.9.1) X-Greylist: inspected by milter-greylist-4.5.12 (xmx.well.com [172.30.1.105]); Mon, 12 Aug 2019 15:51:01 -0700 (PDT) for IP:'172.30.1.200' DOMAIN:'zimbra.well.com' HELO:'zimbra.well.com' FROM:'dano@well.com' RCPT:'' X-Rspamd-Queue-Id: 466rft48Cdz46hX X-Spamd-Bar: ---- Authentication-Results: mx1.freebsd.org; dkim=fail (rsa verify failed) header.d=well.com header.s=6EE067AA-1511-11E5-BE77-89F1327358AA header.b=grO2C4Y9; dmarc=none; spf=pass (mx1.freebsd.org: domain of dano@well.com designates 52.0.124.244 as permitted sender) smtp.mailfrom=dano@well.com X-Spamd-Result: default: False [-4.74 / 15.00]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_REJECT(1.00)[well.com:s=6EE067AA-1511-11E5-BE77-89F1327358AA]; R_SPF_ALLOW(-0.20)[+ip4:52.0.124.244]; HAS_ATTACHMENT(0.00)[]; TO_DN_NONE(0.00)[]; MV_CASE(0.50)[]; RCVD_IN_DNSWL_MED(-0.20)[244.124.0.52.list.dnswl.org : 127.0.5.2]; DKIM_TRACE(0.00)[well.com:-]; NEURAL_HAM_SHORT(-0.98)[-0.980,0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; IP_SCORE(-0.66)[asn: 14618(-3.27), country: US(-0.05)]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~,4:~]; ASN(0.00)[asn:14618, ipnet:52.0.0.0/15, country:US]; RCVD_TLS_LAST(0.00)[]; MID_RHS_MATCH_FROM(0.00)[]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; MIME_GOOD(-0.20)[multipart/signed,multipart/alternative,text/plain]; PREVIOUSLY_DELIVERED(0.00)[trustedbsd-audit@freebsd.org]; DMARC_NA(0.00)[well.com]; RCPT_COUNT_ONE(0.00)[1]; RCVD_COUNT_SEVEN(0.00)[7] X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: trustedbsd-audit@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: TrustedBSD Audit Discussion List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 12 Aug 2019 22:51:03 -0000 --Apple-Mail=_89CE0695-66E1-4F12-A667-81CFA56B1E76 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=utf-8 FWIW I do not have an answer either but am also very interested in the = answer. During BSidesLV last week there was a session about fooling OSX into = giving up privileged access [1]. In the Q&A that followed the first = question was =E2=80=9Cwill BSM capture this?=E2=80=9D The speaker had no = idea what BSM is/was so hadn=E2=80=99t tested and couldn=E2=80=99t = answer, but I thought that is a really good question. And it is a really good question in light of this, the basic supposition = and question: >>> aware of. The audit pipe is allowed to drop audit records in the >>> kernel, which eventually is technically inevitable of course. The >>> issue I am facing is finding a reliable solution to avoid this. [1] https://www.bsideslv.org/schedule-2/ = Day 1 / Breaking Ground / Unpacking pkgs: a look inside macOS installer = packages and common security flaws We are hackers, we won=E2=80=99t do as you expect or play by your rules, = and we certainly don=E2=80=99t trust you. JAR files are really = ZIPs=E2=80=A6unzip them! So are DOCX, XLSX, PPTX, etc. Open them up! = macOS applications (.app =E2=80=9C=E2=80=9Dfiles=E2=80=9D=E2=80=9D) are = really browsable directories?! Sweet, let=E2=80=99s do that. Less well known but similarly prevalent are Flat Package Mac OS X = Installer (.pkg) files. These are actually XAR archives containing many = plaintext files (including scripts) with plenty to examine without = installing. In this presentation I=E2=80=99ll walk through extracting the contents = of these installer packages, understanding their structure, and how they = work while highlighting where security issues can come up. To drive the = point home of what can go wrong, I=E2=80=99ll include examples of = security issues I=E2=80=99ve seen in the wild and show how they can be = exploited to elevate privileges and gain code/command execution. After this talk, .pkg files will no longer be opaque blobs to you. = You=E2=80=99ll walk away knowing tools and techniques to examine, = understand what they=E2=80=99re really doing, and a methodology for = finding bugs in them. As a final bonus, I=E2=80=99ll include a subtle = trick or two that can be used on red teams. > On Aug 11, 2019, at 7:10 AM, ASV wrote: >=20 > Hi, > I personally don't know the answer to your question; I've never tried > to do that. But I'd like to inform you that since 2016 only 2 emails > got a reply on this list. Just for you to know better what to expect > here. >=20 > Good luck. >=20 >=20 >=20 > On Mon, 2019-06-24 at 10:09 +0200, b wrote: >> Hello again, >>=20 >> Could someone please comment on the following? >>=20 >>=20 >>> The FreeBSD Handbook has the notion that =E2=80=9Eaudit event = classes may >>> be customized by modifying the audit_class and audit_event >>> configuration files=E2=80=9C. I assume this could also mean adding = custom >>> audit classes and associating them with the event types of >>> interest. How can this be done programmatically for local audit >>> trails? Are there any code examples available? >>=20 >>=20 >> I am aware that this list is very low traffic. Unfortunately I have >> been unsuccessful in finding another place to discuss bsm. If there >> are other places, please let me know. >>=20 >>=20 >> Thank you, >> Benjamin >>=20 >>=20 >>=20 >>=20 >>> Am 06.06.2019 um 13:37 schrieb b via Darwin-dev < >>> darwin-dev@lists.apple.com>: >>>=20 >>> Hello everyone, >>>=20 >>> I am crossposting this message to the darwin dev list and the >>> trustedbsd-audit list since relevant knowledge might be shared >>> among members of both lists and I was not really sure how to >>> properly present the issue to both lists separately. Also, my post >>> is quite long as it bundles the outcome of several days of >>> debugging. Please excuse. >>>=20 >>> I am currently reading a cloned bsm audit pipe from a user space >>> client on macOS to retrieve information about process creation and >>> operations on the system (pc|ex). In the future I want to add other >>> audit classes as well. I am currently looking at bsmtrace as a >>> reference implementation of the read loop. >>>=20 >>> There is one major issue, though, that took me a while to become >>> aware of. The audit pipe is allowed to drop audit records in the >>> kernel, which eventually is technically inevitable of course. The >>> issue I am facing is finding a reliable solution to avoid this. >>>=20 >>> Drops can occur only in audit_pipe_append (audit_pipe.c) under two >>> conditions, (1) the queue is full or (2) the kernel was not able to >>> allocate memory without blocking. >>>=20 >>> (1) can generally be managed in user space client code. There is >>> only one scenario I found (up to now) where even the maximum audit >>> pipe length is insufficient and that is system wake up procedure. >>> Even before the system emits kIOMessageSystemWillPowerOn there are >>> lots and lots of audit events that eventually max out the audit >>> pipe. >>>=20 >>> (2) can=E2=80=99t be influenced from a user space client, at least = not that >>> I am aware of. This happens sporadically but reproducibly when the >>> system is under a lot of stress, e.g. when a lot of processes are >>> spawned at a time and start executing some audited code. >>>=20 >>> All this leads to several questions of which I am not sure if they >>> qualify as potential bug reports or enhancement requests. I would >>> be more than happy if someone with a better understanding of things >>> could comment on them or even suggest possible solution approaches. >>>=20 >>> - (1) could clearly be solved by increasing the allowed maximum >>> audit pipe length which currently is 1024. This maximum value is >>> probably several years old by now and I could imagine that in the >>> meantime the xnu kernel has become a lot more =E2=80=9Etalkative=E2=80= =9C. Is there >>> some technical limitation that would prevent an increase? >>>=20 >>> - I am wondering how the global audit trail that is written to disk >>> is able to perform better, i.e. does not drop (seemingly), than the >>> cloned audit pipe purely in memory? Is there some penalty >>> associated with passing memory from the kernel to user space? How >>> does the global audit trail not struggle with the M_NOWAIT policy? >>>=20 >>> - Since the audit pipe tries to acquire memory by calling malloc >>> with the M_NOWAIT flag, which I assume happens for a reason, is >>> there some strategy or configuration available from user space to >>> ease the restraint on kernel memory allocation =E2=80=93 or am I = simply out >>> of luck here? >>>=20 >>> - I am surely not an expert on memory allocation and even less so >>> in kernel space. With that said, I imagine that allocating only one >>> block of memory for both, pointer (ape) and memory blob (ape- >>>> ape_record), instead of two separate memory allocations would half >>> the potential for M_NOWAIT failure. >>>=20 >>> - Potential for both (1) and (2) could at least be reduced by >>> further filtering events in the kernel. I am not interested in each >>> and every audit event type. The FreeBSD Handbook has the notion >>> that =E2=80=9Eaudit event classes may be customized by modifying the >>> audit_class and audit_event configuration files=E2=80=9C. I assume = this >>> could also mean adding custom audit classes and associating them >>> with the event types of interest. How can this be done >>> programmatically for local audit trails? Are there any code >>> examples available? >>>=20 >>> I hope this does not come across (too) snarky but my expectation >>> towards a security mechanism is first and foremost reliability. >>> Information loss is definitely not supportive in that. Therefore I >>> either hope for a viable existing solution for my problem or am >>> very eager for a fix to the issues at hand. >>>=20 >>> Thanks, >>> Benjamin >>> _______________________________________________ >>> Do not post admin requests to the list. They will be ignored. >>> Darwin-dev mailing list (Darwin-dev@lists.apple.com) >>> Help/Unsubscribe/Update your Subscription: >>>=20 > = https://lists.apple.com/mailman/options/darwin-dev/b-spam%40intraversal.de= >>>=20 >>> This email sent to b-spam@intraversal.de >>=20 >> _______________________________________________ >> trustedbsd-audit@freebsd.org mailing list >> https://lists.freebsd.org/mailman/listinfo/trustedbsd-audit >> To unsubscribe, send any mail to " >> trustedbsd-audit-unsubscribe@freebsd.org" --Apple-Mail=_89CE0695-66E1-4F12-A667-81CFA56B1E76 Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 Comment: GPGTools 2.5.1 (build 1044) - https://gpgtools.org iQIzBAEBCgAdFiEE9dMnT0tAdaBButXPLFgDC1jkEL4FAl1R7VEACgkQLFgDC1jk EL46vQ/9HrLFuIArA62W1BKO4eOjL8v6+BVBibDREGwJ5ctFV7aWd+CWntpsMzlm UnqWc4ZzoiWqlKHy0wrd/jTPn+HLw1J46KdG0etWVZ8umGG3iPJMUgPxixr+jxS9 hiPuZ57s6+n4xVn8OBZcYpEmsUO4gEwSEKB5+7Mqsiht3SxG3lETPUuX56EF/xiI VmmAJsdJgQuL+QnYTvGPV4na0Nx6R3d9GmWDLer0j7ItBnUl2IubfSvesZrig9Cd Jf9tIx116AGItgUg6985wETuL66tXbf1zmEEmQC474kvhH1NoEPjTLelqtzVvD7S I5xsk4ALnb9v0qoIMyMzvaEkKLt2C8e91j6u6CvWNrCwpjzKkjLveVvx+ldCTqkK RGlNAFtk7xC11vC6FaUhHJJ27rrFkGx6sj4KZOwwqKs8nW1NZWAD04bVRI9reNjQ 6F+nUBmZCOJgxsGCQtZShvvIwQ5niC5Gi+V9kUTi4HONNB8Yicb66ZrBxBZVTIDm 9tZxW6sgujvH9ZYpLS44LqWa2396iX72z+OWcP+Scoetq37dmY03BCYAmU2D+l4+ EFGZmThCK7UVpU056bfN8Ln5PdYjcsF1lYTeQypMZONWKiGgDMarvwESuT3+3Esy iDoHMpsLg81Gjf8ibA5qWJaR+JW1RIGae0D/x0oFJDyct7+UMCY= =cVMZ -----END PGP SIGNATURE----- --Apple-Mail=_89CE0695-66E1-4F12-A667-81CFA56B1E76--