Add provenance data collection support

[kohnakagawa]

Summary

This pull request adds support for collecting provenance extended attributes in Aftermath.
Specifically, it introduces the following features:

• Collection of the com.apple.provenance extended attribute
• Collection of data from the provenance_tracking table in the ExecPolicy file, which stores application information associated with the com.apple.provenance extended attribute

Information about the provenance extended attribute is included in my Black Hat presentation slides. However, due to time constraints, only an overview is provided there. Below is a brief explanation of how the provenance extended attribute can be utilized.

About the provenance extended attribute (introduced in macOS Ventura)

When an application is executed for the first time, syspolicyd assigns the provenance extended attribute (com.apple.provenance) to the application bundle and inserts application-related information (such as code signature and hash values) into the provenance_tracking table in the ExecPolicy database. This attribute is an 11-byte integer; the purpose of the first 3 bytes is currently unknown, while the remaining 8 bytes are random values.
The pk field in the provenance_tracking table corresponds to the 8-byte integer value of the com.apple.provenance attribute. For example:

CREATE TABLE provenance_tracking (  pk INTEGER PRIMARY KEY,  url TEXT NOT NULL,  bundle_id TEXT,  cdhash TEXT,  team_identifier TEXT,  signing_identifier TEXT,  flags INTEGER,  timestamp INTEGER NOT NULL,  link_pk INTEGER);
INSERT INTO provenance_tracking VALUES(-9131926598259274488,'/Applications/ChatGPT.app','com.openai.chat','a8f89be08e5bfff3ac2743df62052fb69eed660e','2DC432GLL2','com.openai.chat',2,1731488254,0);

In the example above, the pk value is -9131926598259274488 (= 0x8144e12453d08d08).
The same value is assigned to the ChatGPT application bundle:

$ xattr -px "com.apple.provenance" /Applications/ChatGPT.app
01 02 00 08 8D D0 53 24 E1 44 81

When an application bundle with a provenance extended attribute is executed, the application runs inside the provenance sandbox. Any files created or modified¹ by an application running in this sandbox inherit the same com.apple.provenance extended attribute as the application bundle. By checking the provenance extended attribute of a file and referencing the provenance_tracking table in ExecPolicy, it becomes possible to determine which application created or modified that file. I've created a basic example demonstrating how to use the provenance attribute. Please check it out as well.

This capability can be used, for example, to identify which application created a persistence-related plist file in ~/Library/LaunchAgents.

Other potential use cases have also been identified (e.g., detecting the use of reflective loaders implemented with NSCreateObjectFileImageFromMemory and NSLinkModule).
Further technical details will be included in the white paper for my Black Hat talk, which I plan to share here once available.

Footnotes

1. Technically speaking, when file operations listed here are performed, the provenance attribute is attached to the target file. ↩

[c7bercat]

Nice PR! Just a small note that I hope you'll address. I tested out your changes and they look good to me besides the part to do with the comment. I'll be happy to approve after the comment has been resolved. Thanks!