Enable FSKit module globally pre-login

Question

Created 2w

Replies 3

Boosts 0

Participants 2

I've developed a custom FSKit module which all seems to work OK when tested with a dummy test FSResource.

However, the end goal is to mount a user's entire home directory via my FSKit module. I obviously need the mount to occur before that user logs in for the first time, since that is when their home directory will be first populated. I also have to perform the mount as the user in question since their home directory must be owned by them.

I have written a LaunchDaemon module to call /sbin/mount, running as that user, however I notice that whether FSKit modules are enabled or disabled seems to be a per-user setting. If I enable my FSKit module as User A in 'System Settings > Login Items and Extensions' and then log in as User B and go into Login Items and Extensions, the module shows as disabled.

Is there a way to enable my FSKit module globally so that it is enabled for all users without each user having to go into System Settings and manually enable it? Or a way of enabling it via command line that I can run with "sudo -u" ? And would this enable me to mount a filesystem before any user has logged in?

Boost

Answer 1

DTS Engineer OP

Apple

2w

the end goal is to mount a user's entire home directory via my FSKit

That’s gonna be really challenging. FSKit is based on app extensions, and app extensions are fundamentally scoped to a given user.

Is there a way to enable my FSKit module globally

No.

Honestly, I think that’d make a reasonable enhancement request. On the networking side of things, macOS allows developers to package a Network Extension provider as a system extension, which runs globally.

If you do file an ER, please post your bug number, just for the record.

What’s your distribution plan here? Is this something you’re building for yourself? Or something you plan to ship to a wide range of users?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

AckwelFoley OP

2w

Thanks for the reply.

I can't post too much about the use case, other than to say it is something very bespoke and wouldn't be distributed publicly.

However, I'd expect that mounting a user's entire home directory via an FSKit module is something that many people might want to do (e.g. home directory on a network file share). I can raise an enhancement request.

In the meantime, any chance you could give some details on how FSKit "knows" that a particular FSKit module is enabled for a given user? I have noticed that, when I enable the module in "Login Items & Extensions", a file at "/Users/<user>/Library/Group Containers/group.com.apple.fskit.settings/enabledModules.plist" is getting updated. If I were to somehow create that file programmatically and add my module's ID to it, would that do the trick and enable my FSKit module to run before the user has logged in?

0

Answer 3

DTS Engineer OP

Apple

1w

any chance you could give some details on how FSKit "knows" that a particular FSKit module is enabled for a given user

No, sorry, these are very much implementation details and thus not something I can encourage folks to rely on.

IMPORTANT macOS works hard to prevent users from running code unexpectedly, hence the existence of System Settings > General > Login Items & Extensions. Given that, it wouldn’t surprise me if the files that back these setting were protected by MAC [1], or become so protected in the future.

Regarding your overall goal, there’s a deeper architectural concern in play. Settings like this are usually stored in the user’s home directory, which results in an a clear chicken’n’egg problem if your FSKit module is responsible for mounting that home directory. Hence my suggestion for an ER, and specifically the option to use a sysex, which is global to the system as a whole.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] As defined in On File System Permissions.

0