ES sample project

Question

I downloaded the ES sys-ext sample project. I built the 'NOTIFY' extension, and I was able to install it. However, it doesn't seem to work (or - it doesn't report anything).

This is what I did:

I download the project
I renamed the bundle IDs
I disabled SIP
I tried both signing options - let 'Xcode automatically manage signing', and I also tried to use my 'Developer ID'
I moved the app to the Applications folder
I grant the 'Full Disk Access' permission to the extension
I verified that the extension is running

I did not get the needed entitlement yet, but since SIP is disabled, I don't think it's a problem

I did get the message 'Successfully installed the extension ✅'
At the terminal, I tried to capture relevant logs:

log stream --style compact --predicate 'sender == "myBundleId"' (I tried it with the app bundleID, and with the extension's bundleId)

And yet, 'ps' triggers no logs.

*At the Console, I get those messages: "Unsatisfied entitlements: com.apple.developer.endpoint-security.client" Disallowing: myBundleId

amfid: Restricted entitlements not validated, bailing out. Error: Error Domain=AppleMobileFileIntegrityError Code=-413 "No matching profile found" UserInfo={NSURL=<private>, unsatisfiedEntitlements=<private>, NSLocalizedDescription=No matching profile found}

Any idea where's the problem at?

Endpoint Security

1.3k

Posted by

roee84

Reply

Add a Comment

Answer 1

Should I disable AMFI? amfi_get_out_of_my_way

Posted by

roee84

Add a Comment

Answer 2

AFAIK the bug described in this post is still extant.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

Add a Comment

Answer 3

Hello @eskimo, When using the amfi_get_out_of_my_way bootarg to enable an Endpoint Security system extension loading, on macOS Sonoma 14.2 (all betas so far), there seems to be a bug introduced where task_set_exception_ports and related APIs fail with GUARD_TYPE_MACH_PORT:

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_GUARD (SIGKILL)
Exception Codes:       GUARD_TYPE_MACH_PORT
Exception Codes:       0x00000000000048e0, 0x0000000000000000

Termination Reason:    Namespace GUARD, Code 2305843035510950112 

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib        	       0x18c8e0854 mach_msg2_trap + 8
1   libsystem_kernel.dylib        	       0x18c8f2cd0 mach_msg2_internal + 80
2   libsystem_kernel.dylib        	       0x18c90ac78 task_swap_exception_ports + 368

This affects a lot of third-party software, such as 1Password, Firefox, Tower, etc. In the past, another boot arg was needed to prevent crashes: ipc_control_port_options. Is there anything new introduced in Sonoma 14.2 in this regard?

Thank you in advance

Posted by

Leo Natan

Add a Comment

Answer 4

I’ve no input on this. Sorry, but:

This isn’t a configuration we officially support.
Speaking personally, I only disable SIP on ‘victim’ machines, and I certainly don’t run important stuff like 1Password on those.

Feel free to file a bug against the 14.2 beta, making sure to explain that you’re only in this pickle because of that other bug (r. 57130762).

Please post your bug number, just for the record.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by

eskimo

I already did. FB13418305

Thank you!

—
Leo Natan
Regarding "victim" machines, it is difficult to test a product such as an ES client without running it on a machine with real-world software running on it, and generating real-world events. Thanks

—
Leo Natan
It seems like the issue was fixed in 14.2 beta 4, at least from my limited testing. Please pass thanks to the team!

—
Leo Natan

Add a Comment

Answer 5

Now broken in macOS 14.3 beta 1.

Posted by

Leo Natan

Add a Comment

ES sample project

Replies