My process running with root privilege, but got below error with API SecStaticCodeCreateWithPath(::_:) to create static code object for Cortex XDR Agent app, it working fine for other app like Safari on same device.
2025-07-22 02:02:05.857719(-0600)[23221:520725] DBG Found /Library/Application Support/PaloAltoNetworks/Traps/bin/Cortex XDR Agent.app,/Library/Application Support/PaloAltoNetworks/Traps/bin/Cortex XDR Agent.app running. Will verify the process now
2025-07-22 02:02:05.859209(-0600)[23221:520725] ERR Failed to create static code for path /Library/Application Support/PaloAltoNetworks/Traps/bin/Cortex XDR Agent.app/Contents/MacOS/Cortex XDR Agent. Error: Optional(UNIX[Operation not permitted])
Code Snippet
let fileURL = URL(fileURLWithPath: processPath)
var code: SecStaticCode?
let rc = SecStaticCodeCreateWithPath(fileURL as CFURL, [], &code)
if rc == errSecSuccess, let code = code {
staticCode = code
} else {
ZSLoggerError("Failed to create static code for path \(processPath). Error: \(String(describing: SecCopyErrorMessageString(rc, nil)))")
return nil
}
This is failing with EPERM, which is the most common reason for this sort of failure. It means that the operation was deny by some security subsystem, like App Sandbox. I discuss this in great detail in On File System Permissions.
My process running with root privilege
On modern versions of macOS there’s no guarantee that root can access all files [1].
Given the location of the problematic app, I doubt this is not being caused by App Sandbox or MAC, meaning that ES is the most likely culprit.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] Well, that was true even on ancient versions of macOS, where NFS would map root to nobody.