I am playing with endpoint security. I trying to implement block/allow user to read/write files on a USB media drive. I made my ep utility as launchctl daemon. I found that some applications couldn't start until I mute those processes for ep_client.
Moreover, some system processes couldn't start until I mute messages from them. And even more, if my utility autoruns on system start, the clock on the top right corner of the screen may be absent. The Terminal app couldn't restore its state, it hangs on start.
Actually, I came to that, my EP daemon should listen to very few processes. Those processes that can read/write files on USB media, and do it by user request. Or under user control.
When KAUTH was not deprecated, I did it right in the kernel extension: if the vnode path is NOT on a removable drive, return DEFER at the beginning of callback.
My question is:
What processes are pure system?
What system processes can read/write files for user or under user control?
Does, for example, /usr/libexec/nsurlsessiond can download a file for user to the USB media?
Post marked as Apple Recommended
Quinn, you've often suggested that to validate the other side of an XPC connection, we should use the audit token. But that's not available from the XPC object, whereas the PID is. So everyone uses the PID.
While looking for something completely unrelated, I found this in the SecCode.h file
OSStatus SecCodeCreateWithXPCMessage(xpc_object_t message, SecCSFlags flags,
SecCodeRef * __nonnull CF_RETURNS_RETAINED target);
Would this be the preferred way to do this now? At least from 11.0 and up.
Like I said, I was looking for something completely unrelated and found this and don't have the cycles right now to try it. But it looks promising from the description and I wanted to check in with you about it in case you can say yes or no before I get a chance to test it.
Thanks
Post not yet marked as solved
I got the permission from Apple (yay), and when I generate a profile on the portal, I can select it. But when I download it... it doesn't have it. Looking at the profile on the portal again, it says I have "Enabled Capabilities Endpoint Security, In-App Purchase". (Although how did that get there?)
Post not yet marked as solved
Hello!
After submitting two OSSystemExtensionRequest (let's say Endpoint and Network extensions), when the user allows only one (endpoint) extension, we receive request: didFinishWithResult callback for both manager delegates. This leads us to falsely believe that both our extensions are allowed.
We tried to prevent this by using propertiesRequestForExtension where our (network) delegate will ask for properties, check if the given extension is enabled and then finish if it's ok. If it's not enabled, however, we receive no second callback when the user allows the other extension.
We thought that we would need to submit another OSSystemExtensionRequest for the extension that wasn't allowed to receive a callback when it finally is. However, the second and all other consecutive requests immediately finish and we receive request: didFinishWithResult even when the user does not allow the second extension.
Example:
Endpoint and Network managers submit OSSystemExtensionRequest
User only allows Endpoint extension
Endpoint manager checks the properties, finds out it's enabled and finishes
Network manager checks the properties, finds out it's disabled
Network manager sends another OSSystemExtensionRequest
Network manager immediately receives request: didFinishWithResult
Network manager checks the properties, finds out it's disabled
....
This loop ends when the user finally allows the network extension, when the manager finds out that it's enabled. Is there something we are missing? Shouldn't another OSSystemExtensionRequest finish with requestNeedsUserApproval. How should we go about this issue?
Many thanks, Denis
I created an ES Client, as I run it, it logs all the processes under /. So I add mute_path_prefix for those.
I expect to see Notifications from /Users/anoopvaidya/, but it is not happening.
What am I missing here?
Any help, suggestions, guidance is highly appreciated.
static void handleEvent(es_client_t *client, const es_message_t *msg)
{
char const *filePath = msg->process->executable->path.data;
NSString *filePathString = [[NSString alloc] initWithFormat:@"%s", filePath];
os_log(OS_LOG_DEFAULT, "filePathString = %@", filePathString);
}
void mutePath(es_client_t *client) {
os_log(OS_LOG_DEFAULT,"Adding muted files list");
NSArray<NSString *> *paths = @[
@"/Applications/",
@"/bin/",
@"/cores/",
@"/Library/",
@"/opt/",
@"/private/",
@"/sbin/",
@"/System/",
@"/usr/",
@"/var/",
];
for (NSString *path in paths) {
es_mute_path_prefix(client, [path UTF8String]);
}
}
int main(int argc, char *argv[])
{
// Create the client
es_client_t *client = NULL;
es_new_client_result_t newClientResult = es_new_client(&client, ^(es_client_t *c, const es_message_t *message) {
handleEvent(client, message);
});
if (newClientResult != ES_NEW_CLIENT_RESULT_SUCCESS) {
return 1;
}
es_event_type_t events[] = {
ES_EVENT_TYPE_NOTIFY_CREATE, //create file
ES_EVENT_TYPE_NOTIFY_OPEN, // open file
ES_EVENT_TYPE_NOTIFY_RENAME, // rename file
ES_EVENT_TYPE_NOTIFY_CLOSE, // close file
ES_EVENT_TYPE_NOTIFY_WRITE, // write to file
ES_EVENT_TYPE_NOTIFY_UNLINK, // delete
ES_EVENT_TYPE_NOTIFY_EXIT
};
if (es_subscribe(client, events, sizeof(events) / sizeof(events[0])) != ES_RETURN_SUCCESS) {
os_log(OS_LOG_DEFAULT, "Failed to subscribe to events");
es_delete_client(client);
return 1;
}
mutePath(client);
dispatch_main();
}
IIRC, when Apple introduced the new Network Extension and Endpoint Security system extension architectures, apps with Network Extensions in their bundle had to be distributed through the Mac App Store, whereas apps with Endpoint Security extensions could not be distributed through the Mac App Store (or vice versa).
I can no longer find language on such restrictions.
Can I distribute an app with both a Network Extension and an Endpoint Security extension in the same app bundle via the Mac App Store?
I am writing a system extension and I want to get the command line. Back in kauth's days we used to get the csFlags and then the image_params, but I think that ES doesn't give us a pointer to the csFlags anymore. Tried like this:
unsigned int csFlags = event->process->codesigning_flags;
struct image_params* image = (struct image_params *)((char *) csFlags - __offsetof(struct image_params, ip_csflags));
But the csFlags is not a valid memory region.
Post not yet marked as solved
I implemented a method to monitor the testfile copy activity and reject it using ES_EVENT_TYPE_AUTH_CLONE.
The copy code used is as follows:
NSFileManager *fileManager = [NSFileManager defaultManager];
NSError *error = nil;
NSString *sourcePath = self.CopyFilePath.stringValue;
NSString *destinationPath = [sourcePath stringByAppendingFormat:@"(Code copy file)"];
BOOL success = [fileManager copyItemAtPath:sourcePath toPath:destinationPath error:&error];
if (success) {
NSLog(@"File copy successful");
} else {
NSLog(@"File copy failure:%@", error.localizedDescription);
}
This code fires the ES_EVENT_TYPE_AUTH_CLONE event, and I treat the auth event as ES_AUTH_RESULT_DENY, but still create a new file testfile(Code copy file)
How to prevent through code
[fileManager copyItemAtPath: sourcePath toPath: destinationPath error: & error];
Implementation of the file copy
Post not yet marked as solved
I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything).
This is what I did:
I download the project
I renamed the bundle IDs
I disabled SIP
I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID'
I moved the app to the Applications folder
I grant the 'Full Disk Access' permission to the extension
I verified that the extension is running
I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem
I did get the message 'Successfully installed the extension ✅'
At the terminal, I tried to capture relevant logs:
log stream --style compact --predicate 'sender == "myBundleId"'
(I tried it with the app bundleID, and with the extension's bundleId)
And yet, 'ps' triggers no logs.
*At the Console, I get those messages:
"Unsatisfied entitlements: com.apple.developer.endpoint-security.client"
Disallowing: myBundleId
amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=, unsatisfiedEntitlements=, NSLocalizedDescription=No matching profile found}
Any idea where's the problem at?
Post not yet marked as solved
Hey all!
I have a System Extension that, while doing some other things, starts up my custom Network Extension via [NEProvider startSystemExtensionMode]. This Network Extension contains a class (let's call it MyDataProvider) that overrides the NEFilterDataProvider interface and implements handleNewFlow. MyDataProvider thus acts as a network content filter.
The problem is that installing my System Extension on a Ventura 13.4 (or older) system and starting up the Network Extension seemingly drops any ongoing connection I have. For example, my ssh connection will hang. This makes it quite annoying attempting to install the System Extension remotely.
I do not see this behavior for my other class that inherits the NEFilterPacketProvider interface.
Is this behavior expected of the NEFilterDataProvider? It seems like a bug since I do not see any documentation stating this behavior.
Post not yet marked as solved
I want to create a feature that monitors which USB devices my computer is using and lets me know what they are. If the USB storage device is connected to my MacOS device, I want to prevent it from being used.
Is it possible to implement such a method using ESF framework? Or is there another way to do this?
Post not yet marked as solved
Can I control the pasteboard when user try to Ctrl + v?
There's no option or related event in endpoint security.
I'm came up the 'method swizzling', but it doesn't seem like a good way.
Plz help me..
Post not yet marked as solved
Is it possible to use ESF framework without enrolling into Apple developer program? I wanted to try out ESF for learning purpose.
Post not yet marked as solved
I encountered such a problem, when I am in macOS 10.15 this part, through monitoring ES_EVENT_TYPE_AUTH_EXEC ESF framework, if I double click on the start/Users/test/Downloads/test. The app, The path of test.app corresponding to message->event.exec.target-> Path. data in the ES_EVENT_TYPE_AUTH_EXEC event is under /private/var/folders. This prevents me from blocking the test.app startup in the /Users/test/Downloads/ directory through string matching.
Post not yet marked as solved
My team has received a bit of instruction in the past about how to use ESClients for Endpoint Security tasks. The source suggested using multiple ESClients but not too many. I think the proposed limit was 40. The question is this: how can I determine what warrants a new ESClient? For example, consider an app that has 30 concurrent tasks of type A, a task of type B, a task of type C, and a task of type D. Should each task type gets its own ESClient? Should the tasks of type A be divided between multiple ESClients?
Can you deliver any additional guidance on this?
Post not yet marked as solved
I created a Endpoint Security the client, the System Extension have been normal load to/Library/SystemExtensions inside, and has been activated, but did not see the Extension to run, do you have who knows?
Post not yet marked as solved
Hello there.
We have an endpoint security service that consists of a command-line tool and a client app that bundles a network extension (the command-line tool runs as a daemon via Launch Services and communicates with the extension via XPC). It works when installed manually under all OS versions, and under MacOS 12.x (Monterey) and earlier when provisioned via MDM.
However, beginning with some version of 13.x (Ventura), MDM provisioning is insufficient. The daemon is unable to connect to the extension via XPC.
Under "Full Disk Access" in System Pref^H^H^H^HSettings, an entry for our component appears but the switch is off. Turning the switch on manually at this point does not change the situation; the daemon apparently remains unable to talk to the extension.
It seems as though some additional entitlement or declaration is now needed in the MDM mobileconfig to make things work under 13.x and above, but after trying a multitude of combinations, I'm at a loss. Any hints?
Post not yet marked as solved
Hi guys
Following this topic : https://developer.apple.com/forums/thread/654443
I test this in macOS 14 beta, audit can't work now.
Is it expected or a bug?
If it is expected, is there any announcement ?
Thank you!
Command return error:
sudo audit -i
Error sending trigger: (ipc/send) invalid destination port
Post not yet marked as solved
I wrote a program to receive the notify events from endpoint security framework. While logging into the workstation it generates ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN event. How to get the user id and other user info from this event.
Post not yet marked as solved
I wrote a program to receive the notify events from endpoint security framework. ES_EVENT_TYPE_NOTIFY_AUTHENTICATION event is not notified/logged in any scenario. Please help me with the information on when does mac generate or notify this event.
