How endpoint security close notify event -> close auth event

Question

Created Jan ’21

Replies 9

Boosts 0

Participants 2

Hi,
As i know Apple's endpoint security platform is kind of replacement for kext, KAuth event notification framework. But i could see, close is a notification event (i.e. ESEVENTTYPENOTIFYCLOSE) instead of auth event.

In this case, how can we write application where we need close event as auth.
I am looking for similar functionality which KAuth (i.e. KAUTHSCOPEFILEOP/KAUTHSCOPEVNODE) was providing? Is there any alternative?

Thanks,
Abhrajyoti

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’21

Why do you want to authorise close events? Are you actually going to deny the event? Or do you want to have an auth event so that you can do some other thing before the close completes?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

1

Answer 2

abhrajyoti@gmail.com OP

Jan ’21

Hi eskimo,
Right, primarily i want to deny the close event in certain condition.

Thanks,
Abhrajyoti

0

Answer 3

DTS Engineer OP

Apple

Jan ’21

in certain condition.

For example?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

abhrajyoti@gmail.com OP

Jan ’21

Hi Eskimo,

Possibly use case:

I want to block/permission denied, copying/writing of confidential file/data onto network share or drive, external disk etc

Thanks,
Abhra

0

Answer 5

DTS Engineer OP

Apple

Jan ’21

I want to block/permission denied, copying/writing of confidential
file/data onto network share or drive, external disk etc

But by the time you get the close event the copy has already been done.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 6

abhrajyoti@gmail.com OP

Jan ’21

@eskimo, what is your recommendation to best way handling such use case with endpoint security? Which ES auth event potentially we can handle to block? Many thanks!

0

Answer 7

DTS Engineer OP

Apple

Jan ’21

what is your recommendation to best way handling such use case with
endpoint security?

ES_EVENT_TYPE_AUTH_OPEN seems like the obvious candidate but presumably you’ve looked at that already. Why doesn’t it work for you?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 8

abhrajyoti@gmail.com OP

Jan ’21

Hi Eskimo,
I know open is an auth event which is good and can help in certain use cases. But primarily wanted to allow opening of the file and block in case of modification etc. Hence if we can get close as auth hook we can rely on only one event to handle. In KAuth world, close was an Auth event, not a notification event. How can we achieve similar with macOS kextless?

Thanks,
Abhra

0

Answer 9

DTS Engineer OP

Apple

Jan ’21

In KAuth world, close was an Auth event, not a notification event.

Kinda. While the event was synchronous, like an ES auth event, it didn’t actually allow you to block the close. You can see this in the Darwin kernel source. Check out close_internal_locked in xnu/bsd/kern/kern_descrip.c, and specifically the call to kauth_authorize_fileop with the KAUTH_FILEOP_CLOSE selector. It even has a comment explaining what’s going on:

Code Block  /*
 * call out to allow 3rd party notification of close.
 * Ignore result of kauth_authorize_fileop call.
 */

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"

0