Post not yet marked as solved
I tried low level XPC API. Here is the sample code.
int
main(int argc, char *argv[])
{
init_dispatch_queue();
xpc_main(handler);
es_client_t *client;
es_new_client_result_t result = es_new_client(&client, ^(es_client_t *c, const es_message_t *msg) {
handle_event(c, msg);
});
if (result != ES_NEW_CLIENT_RESULT_SUCCESS) { os_log_error(OS_LOG_DEFAULT, "Failed to create the ES client: %d", result);
return 1;
}
es_event_type_t events[] = { ES_EVENT_TYPE_AUTH_EXEC, ES_EVENT_TYPE_AUTH_OPEN };
if (es_subscribe(client, events, sizeof(events) / sizeof(events[0])) != ES_RETURN_SUCCESS) {
es_delete_client(client);
return 1;
}
dispatch_main();
}
xpc_main() function internally calls dispatch_main. Other extension code didn't execute. I added XPCService dict in info.plist and added RunLoopType as NSRunLoop as given in link. But it still don't work well.
NSXPConnection API that allows extension to function. I can't use these API as pyobjc do not support block calls.
Can we make low level xpc_main() to execute in second thread and not block extension.
I have my app in Objective C and system extension written in C. How do I communicate between system extension and app ?
Hello,
The application I'm working on has started requiring endpoint-security permissions. Before the changes it has followed signing (without additional entitlements) and ".pkg."-packaging processes for several years without issues.
The Security Endpoint entitlement was requested and approved. After that "Security Extension" was enabled for the App ID we use. The build process (without Xcode) was updated to use the entitlement file during signing. After the update the signing and packaging steps were successful. The package can be installed without issues as well. Running the application results in an immediate "Killed: 9".
During troubleshooting it turned out that even a dummy helloworld C binary behaves after signing the same way.
The C code (just for reference):
$ cat test.c
#include <stdio.h>
int main(void) {
printf("Hello world\n");
return 0;
}
The entitlement file:
$ cat entitlements.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
</dict>
</plist>
For signing we use keys imported to a temporary keychain from a developer profile (just for reference):
security delete-keychain temp-keychain
security create-keychain -p ******** temp-keychain
security unlock-keychain -p ******** temp-keychain
security list-keychains -d user -s login.keychain temp-keychain
security import /path/to/developer/identities/<Developer ID Application>.p12 -k temp-keychain -P ******** -T /usr/bin/codesign -T /usr/bin/productsign temp-keychain
security import /path/to/developer/identities/<Developer ID Installer>.p12 -k temp-keychain -P ******** -T /usr/bin/codesign -T /usr/bin/productsign temp-keychain
security show-keychain-info temp-keychain
security set-key-partition-list -S apple-tool:,apple: -s -k ******** temp-keychain
security default-keychain
Result:
Without entitlements
$ codesign -vvvvv -s "Developer ID Application: ..." --verbose --deep --force --timestamp --options=runtime test
test: signed Mach-O thin (x86_64) [test]
$ codesign -dv test
Executable=/private/tmp/1/test
Identifier=test
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=304 flags=0x10000(runtime) hashes=4+2 location=embedded
Signature size=9099
Timestamp=18 Aug BE 2564 23:37:54
Info.plist=not bound
TeamIdentifier=XXXXXXXXXX
Runtime Version=10.15.4
Sealed Resources=none
Internal requirements count=1 size=164
$ codesign -d --entitlements :- test
Executable=/private/tmp/1/test
$ ./test
Hello world
With entitlements
$ codesign -vvvvv -s "Developer ID Application: ..." --verbose --deep --force --timestamp --options=runtime --entitlements entitlements.plist test
test: signed Mach-O thin (x86_64) [test]
$ codesign -dv test
Executable=/private/tmp/1/test
Identifier=test
Format=Mach-O thin (x86_64)
CodeDirectory v=20500 size=400 flags=0x10000(runtime) hashes=4+5 location=embedded
Signature size=9099
Timestamp=18 Aug BE 2564 23:40:00
Info.plist=not bound
TeamIdentifier=XXXXXXXXXX
Runtime Version=10.15.4
Sealed Resources=none
Internal requirements count=1 size=164
$ codesign -d --entitlements :- test
Executable=/private/tmp/1/test
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.developer.endpoint-security.client</key>
<true/>
</dict>
</plist>
$ ./test
Killed: 9
I'm under impression that missing something trivial but out of ideas already. Any piece of advice what should be verified is welcome.
I am seeing kmutil being executed a *lot* on my iMac with Big Sur.
Apple's documentation says kmutil is used for loading and unloading kexts (and some other things).
Should I be concerned with this much kmutil activity?
I couldn't find an event type to subscribe to for identifying user logins (SSH, GUI). As an alternative approach I investigated the possibility of monitoring process events e.g. for loginwindow.
However, I noticed that this doesn't seem to work either, because the user id and audit session id changes from root 0/system session 100001 right after exec to the respective user's id (e.g. 501) and his gui session id (e.g.100005) after successful authentication. Since I couldn't find any evidence for a fork or exec event, I assume that something like setuid is used internally.
Is there any way one could get notified for events which change the process' context (like setuid or a session id change)?
Are there events for user logins/sessions I've overlooked?
Post not yet marked as solved
Just got a crash log from our QA testing on Monterey. The basic crash info is here, but I don't know what the termination reason means or how to look it up.
Exception Type: EXC_CRASH (SIGKILL)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace ENDPOINTSECURITY, Code 2
The backtrace showed the crashing thread in a _pthread_cond_wait waiting for a signal that there is data to process. (This is for notify events, we queue them up for processing). We do retain the message, so I'm wondering if the queue is backing up (shouldn't be since the pthread_cond_wait only happens on an empty queue) and not releasing the messages quickly enough. But I don't know what Code 2 means to see if this idea is valid.
Can someone point me to where I can look that up?
Thanks
I am trying out Endpoint security System extension to prevent users from deleting my app data. I used "ES_EVENT_TYPE_AUTH_UNLINK" to stop users from deleting app files.
I am trying to figure out how I can stop user from deleting keychain item.
Post not yet marked as solved
I'm working on an enterprise product and we need to be able to provide a meaningful mapping between processes and the session context they're running in. I know that we can get the asid of a process based on an exec event subscription via ES, but the asid is too detailed. Ultimately we want to be able to say process A is running in the system/console of user {a,b,c}/ssh session.
One problem is that for what we would consider a system session (non interactive) there exist multiple asids. So we need to group all non user sessions a be able to distinguish them from user gui/ssh sessions.
Is there a way to get more information about a process' session, maybe but querying its asid? Maybe based on bsm and the audit token? I was thinking along the lines of what launchctl procinfo provides under the section audit flags. There are flags like has_console_access,has_authenticated. But I haven't been able to find out where this information is coming from. There are related flags in the Security framework (SessionAttributeBits) but especially the two I mentioned are missing.
I tried Sample app given in WWDC. Using "ES_EVENT_TYPE_AUTH_OPEN" I could stop writing to file using echo.
But if I use vim or text edit and edit the file it saves the changes.
I tried "ES_EVENT_TYPE_AUTHSIGNAL", "ES_EVENT_TYPE_AUTH_UNLINK", "ES_EVENT_TYPE_AUTH_TRUNCATE", but no luck.
Post not yet marked as solved
Hello,
We have an endpoint security daemon which also uses some system extensions (network content filtering, file notifications). When building on debug with the correct entitlements (get-task-allow) we cannot attach with the debugger. More precisely, after attach, instead of displaying thread information, the daemon just stops (in logs appears a SIGKILL with no source). Before this happens, the system freezes for about 15-20 seconds, so I'm guessing it's some kind of watchdog that kills the app before the debugger can completely attach. The same happens with a custom built GDB, as well as various versions of LLDB.
How can we find out what kills the daemon and maybe increase the timeout or some other solution like that?
Post not yet marked as solved
I'm watching NOTIFY_LINK and NOTIFY_CREATE events and symlinks are oddly not reported as link events but as create events. The problem with this is that I cannot get the path linked from without doing a manual readlink. Am I missing something? Is this an intentional design decision in ES?
With BSM we'd watch AUE_SYMLINK (which has its own issues with not reporting paths).
Post not yet marked as solved
I did try to run a sample endpoint security app from official documentation.
https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security
I did turn off SIP and use a profile with access to system extensions. Moved the built app to the application folder.
But on the console I always get output like this:
Jul 5 15:27:29 com.apple.xpc.launchd[1] (XY28F7M994.com.test.ESTest.ESTest.ESTestExt[54059]): removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/51DB56F4-508F-4771-ADA1-61033CA939FF/com.test.ESTest.ESTest.ESTestExt.systemextension/Contents/MacOS/com.test.ESTest.ESTest.ESTestExt:
Jul 5 15:27:29 com.apple.xpc.launchd[1] (XY28F7M994.com.test.ESTest.ESTest.ESTestExt[54059]): Binary is improperly signed.
Jul 5 15:27:29 com.apple.xpc.launchd[1] (XY28F7M994.com.test.ESTest.ESTest.ESTestExt): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
Please help
