Post not yet marked as solved
Looks like dnsextd(8) was removed from macOS in 10.15 Catalina, and building from source isn't easy.
I used the attached patch to build mDNSResponder 1310.140.1, which removes unused functions except for setTrafficClass which is unused by the target (it passes mDNSFalse for useBackgroundTraffic).
We're planning to use this as a frontend to BIND 9.18.3 with an external daemon to verify TSIG for dynamic updates. With MDM we should be able to easily provision new TSIG keys remotely on servers, then communicate them out-of-band to the daemon and (hopefully) have the process work almost automatically.
I have heard only RC4 is supported in released versions of macOS, and the implementation is broken in macOS Monterey.
dnsextd.txt
Comments welcome
Post not yet marked as solved
Is there a simple way to create an NSFontCollection based on NSFontDescriptor querying to gather all installed/available fonts with a MATH table? It doesn't look like there's an attribute for that, but I don't know how else to search other than correlating with features like ssty, dtls, and flac.
Post not yet marked as solved
I've tried to find explicit documentation for the role to select when creating an API key for use withxcrun altool --notarize-app --apiKeyBut only found a discussion like Using an API Key with iTMSTransporter. Should it always be App Manager, or is there a less-priviledged one for this task? Notarization doesn't seem like it would require significant access.
Post not yet marked as solved
Have DriverKit entitlement decisions started being issued? We filled in the form weeks ago and haven't received a response of any kind. We already had a kext entitlement, so I was hoping the request would be a formality.
Post not yet marked as solved
I've found Console.app much harder to use in recent years, and one of the issues is the firehose of data is much more difficult to examine when you don't know what you're looking for, especially if you have to turn on debug and info.
As an example of a tool, I'm posting a script I wrote to gather likely subsystem/category names from other binaries. It's crude, but does a decent job when you're not sure where to start
#!/usr/bin/swift
import Foundation
extension Process {
		class func launchedForLines(url: URL, args: [String], block: (String) -> Void) {
				let proc = Process(), pipe = Pipe(), eol = Data([0x0A])
				proc.executableURL = url
				proc.arguments = args
				proc.standardOutput = pipe
				proc.launch()
				let output = pipe.fileHandleForReading
				var buffer = Data(capacity: Int(LINE_MAX)), chunk = output.availableData
				while !chunk.isEmpty {
						buffer.append(chunk)
						while let range = buffer.range(of: eol) {
								let slice = buffer[0..<range.lowerBound]
								buffer.replaceSubrange(0..<range.upperBound, with: Data())
								if let line = String(data: slice, encoding: .utf8) {
										block(line)
								}
						}
						chunk = output.availableData
				}
				proc.terminate()
		}
}
struct Log : Hashable, Equatable {
		let subsystem:String, category:String
}
func find_logs(url: URL) -> [Log]? {
		let literal = "literal pool for: \"", hold = "HOLD"
		var ring = [hold, hold], idx = false, logs = Set<Log>()
		Process.launchedForLines(url: URL(fileURLWithPath: "/usr/bin/otool", isDirectory: false), args: ["-tV", url.path], block: { (line) in
				if let range = line.range(of: literal) {
						let frag = line[range.upperBound..<line.index(before: line.endIndex)]
						ring[idx ? 1 : 0] = String(frag)
						idx = !idx
				}
				else if line.range(of: "_os_log_create", options: .literal) != nil {
						let sub = ring[idx ? 1 : 0], cat = ring[idx ? 0 : 1]
						if sub != hold && cat != hold && sub.range(of: ".", options: .literal) != nil {
								logs.insert(Log(subsystem: sub, category: cat))
						}
						ring = [hold, hold]
				}
		})
		return logs.isEmpty ? nil : Array(logs)
}
func check_mach(url: URL) -> Bool {
		guard let handle = try? FileHandle(forReadingFrom: url) else {
				return false
		}
		let size = MemoryLayout.size(ofValue: MH_MAGIC), magic = handle.readData(ofLength: size)
		try? handle.close()
		return magic.count == size && [MH_MAGIC, MH_MAGIC_64, FAT_CIGAM, FAT_CIGAM_64].contains(magic.withUnsafeBytes({ $0.load(as: UInt32.self) }))
}
func enumerate(url: URL, block: (URL, URLFileResourceType) -> Void) {
		guard let type = try? url.resourceValues(forKeys: [.fileResourceTypeKey]).fileResourceType else {
				return
		}
		block(url, type)
		if (type == .directory) {
				_ = (try? FileManager.default.contentsOfDirectory(at: url, includingPropertiesForKeys: [.fileResourceTypeKey], options: []))?.map({ enumerate(url: $0, block: block) })
		}
}
let args = ProcessInfo().arguments
guard let base = args.count > 1 ? URL(fileURLWithPath: args[1]) : nil else {
		print("Specify exactly one argument, the path to search")
		exit(1)
}
enumerate(url: base) { (url, type) in
		autoreleasepool {
				if type == .regular && check_mach(url: url), let logs = find_logs(url: url) {
						print("Found binary \(url.path)")
						_ = logs.map({ print("Subsystem: \($0.subsystem) Category: \($0.category)") })
				}
		}
}
Post not yet marked as solved
This is for macOS Cocoa apps. I've been using NSPortNameServer until its deprecation to claim a "name" for simple IPC that's automatically destroyed when the process that called -registerPort: exits for any reason. The purpose is to guard other processes using the same framework from clobbering each other trying to the the same thing (just the TASK for discussion purposes) when more than one are running at the same time. There's no information exchanged except to call "dibs" on this TASK, and ideally the solution we move to also works with sandboxing.I've avoided filesystem semantics because files/directories/named semaphores all persist if the process that created them dies, which will litter that namespace, and most don't provide an efficient way of detecting whether the process that created them is still alive.The processes don't need to exchange any data at all, just for one of them (the first to claim the privilege) to handle TASK during its lifetime. The other processes continue to receive the event notifications which would trigger the TASK, so if the claimant dies the next to respond will take the claim immediately. It's also important that this claim only be held session-wide, not machine-wide.It doesn't look like notifyd, sem_open, and others provide this particular semantic, and the closest I got was an NSProgress published nominally to an aribtrary file/directory, but that seems more like API abuse, as would NSFileCoordinator (though that at least is closer). I don't see how holding this particular claim could be considered a security risk, so I would hope it could also work with sandboxing (e.g. not require an app group, etc).
I've got a kext that worked fine on Mojave, now it won't load at all, saying:$ kextutil -tn kext
kxld[kext]: The following symbols are unresolved for this kext:
kxld[kext]: IOCatalogue::addDrivers(OSArray*, bool)
kxld[kext]: IOCatalogue::removeDrivers(OSDictionary*, bool)
kxld[kext]: IOCatalogue::startMatching(OSDictionary*)
Link failed (error code 5).
Check library declarations for your kext with kextlibs(8).As far as I know these symbols are still declared in IOCatalogue.h in the Kernel framework, and while kexts are deprecated, they're still technically allowed in Catalina? Posted to FB6142774 (btw, what's the URL format for feedbacks?)
I'm trying to figure out if any methods in NSString, NSURL, or NSFileManager will sanitize a single path component so it can be appended to a fileURL which represents a directory.The specific usage is a case where the user is saving multiple objects and is allowed to pick/create a directory, which will be populated with files named roughly corresponding to user-entered NSStrings. I'm already prepared to strip prohibited characters, normalize, and append a numbered suffix if some objects have the same sanitized name, but one big problem was forward slash ("/") translation. Is there a method which will interpret a string as a single path component and translate slash to colon so the user-presented filename will look the way the user expects? Some like -[NSURL URLByAppendingPathComponent:] will accept a string representing multiple components separated by slash, so no translation occurs.There are other issues I'd like the method to handle, like stripping or refusing prohibited characters, Unicode normalization, etc, but they could be handled in other ways (e.g. -decomposedStringWithCanonicalMapping).
Post not yet marked as solved
I couldn't find a better place for this, apologies. I'm looking for a Lambert W() / ProductLog / omega function in Accelerate (I checked math.h), but couldn't find one. Ideally it would have both principal and nth versions for multiple roots. Is there one already there, or some kind of Newton/Halley iterator I could use to build one?
Post not yet marked as solved
I'm doing some multithreading in Metal, and Thread Sanitizer is tripping up on a "__block id" type (Objective-C) I use in some framework code to collect an identifier returned from a callout block, which is later supplied to a callback block, like:__block id identifier; //Read-then-write from different threads
id renderer = [self rendererWithCompletionHandler:^{ callback(identifier); }];
dispatch_async(SOME_GLOBAL_QUEUE, ^{
identifier = callout(renderer);
[renderer finish];
});The API allows any subsystem to do Metal work, then perform any cleanup in the callback without the framework having to understand it, or even what form the identifier takes (frame number, object state, etc). The sample above is heavily simplified, the framework does a lot of setup work to make it convenient to attach to the drawing loop.The issue is Thread Sanitizer doesn't like the read/write from multiple threads, but how can I efficiently protect "identifier" without doing a lot of extra work, like creating an object? I know the completion handler is strictly ordered after the dispatch_async, but I can't think of how to effectively describe this using GCD or other synchronization primitives. Keep in mind there is an outer loop supplying callout/callback pairs, this occurs at every draw, and pairs may be registered/unregistered after any frame.
Post not yet marked as solved
I've been trying to figure out if my planned usage of managed buffers breaks any rules, but didn't find anything, so apologies if this has already been answered.If I have a single Metal buffer which:* is marked as managed and uses -didModifyRange:* is only written to by the CPU and read by the GPU* is only appended toCan I keep a single copy of it around regardless of other n-buffering I do? E.g. can I do triple buffering elsewhere but keep one of this buffer around and append to it between draw loops when necessary?A trivial example might be a buffer of int32s which contains the current item index as its value (bytes[i] = i;). If the buffer is over-allocated initially, (e.g. 1,000 items) but I only use the first 100 (and use -[id<MTLBuffer> didModifyRange:NSRange(0, 100 * sizeof(int32_t)]), can I later populate indices 100-200 and call -didModifyRange: on that portion in the next loop without tearing? Are there rules about this?
Post not yet marked as solved
Is there any way to connect to a remote OpenDirectory without binding the system to it first? I tried the remote/proxy API in OpenDirectory.framework, but it looks like that assumes administrator credentials, which would be inappropriate in this context (macOS GUI app, untrusted user until authentication, etc).I really don't want to require binding because of the deployment difficulty, and we don't require authenticated binding at the OD master. On both sides (client: query/authentication only, no system reconfiguration) (server: no authenticated binding requirement) it looks like no root/administrator permissions should be necessary for this task. Is there a way forward?The last mention I saw was https://forums.developer.apple.com/message/158790, but that was some time ago, perhaps not the same exact issue.
Post not yet marked as solved
I've done what I can on my own to figure out what to use with Xcode/clang on the iMac Pro for hardware-specific optimization, but there isn't much information.From sysctl(8) I know it's Family 0x06, Model 0x55, Stepping 0x04 (the 18 core 2.3 GHz aka "W-2191 B"), which is apparently "-march=skylake-avx512", but there aren't any built-in options to set that or something similar directly in Xcode.Is there more to tune?
TyngJJ.