Endpoint Security Extension Crashing Frequently When Handling ES_EVENT_TYPE_AUTH_OPEN

App & System Services Core OS
dhanraj_kawade OP
Created 1w
Replies 1
Boosts 0
Views 50
Participants 2

I am facing a persistent issue with an Endpoint Security (ES) extension that is crashing only when processing the ES_EVENT_TYPE_AUTH_OPEN event. Other event types, including ES_EVENT_TYPE_NOTIFY_OPEN and ES_EVENT_TYPE_NOTIFY_MMAP, work without any problems.

func startMonitoring() {
    guard !isMonitoring else { return }
    
    let result = es_new_client(&gClient) { (client, message) in
        guard message.pointee.action_type == ES_ACTION_TYPE_AUTH else { return }
        
        let pid = audit_token_to_pid(message.pointee.process.pointee.audit_token)

        if pid == gSelfPID {
            es_respond_flags_result(client, message, 0x7FFFFFFF, true)
            var token = message.pointee.process.pointee.audit_token
            es_mute_process(client, &token)
            return
        }

        guard message.pointee.event_type == ES_EVENT_TYPE_AUTH_OPEN else {
            es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true)
            return
        }

        let pathData = message.pointee.event.open.file.pointee.path
        guard let pathPtr = pathData.data else {
            es_respond_flags_result(client, message, 0x7FFFFFFF, true)
            return
        }

        if shouldSkipPath(pathPtr, length: pathData.length) {
            es_respond_flags_result(client, message, 0x7FFFFFFF, true)
            return
        }

        if !hasBlockedExtension(pathPtr, length: pathData.length) {
            es_respond_flags_result(client, message, 0x7FFFFFFF, true)
            return
        }

        guard let execPathPtr = message.pointee.process.pointee.executable.pointee.path.data else {
            es_respond_flags_result(client, message, 0x7FFFFFFF, true)
            return
        }

        if isGoogleChrome(execPathPtr) {
            es_respond_auth_result(client, message, ES_AUTH_RESULT_DENY, true)
        } else {
            es_respond_flags_result(client, message, 0x7FFFFFFF, true)
            var token = message.pointee.process.pointee.audit_token
            es_mute_process(client, &token)
        }
    }
    
    guard result == ES_NEW_CLIENT_RESULT_SUCCESS, let client = gClient else { return }

    es_clear_cache(client)
    muteNoisyPaths(client: client)

    let events: [es_event_type_t] = [ES_EVENT_TYPE_AUTH_OPEN]
    let subResult = es_subscribe(client, events, UInt32(events.count))
    guard subResult == ES_RETURN_SUCCESS else {
        es_delete_client(client)
        gClient = nil
        return
    }

    isMonitoring = true
}
Replies  1
Boosts  0
Views  50
Participants  2
DTS Engineer OP
Apple
1w

Please post the full crash log and I'll take a look.

__
Kevin Elliott
DTS Engineer, CoreOS/Hardware

0
Endpoint Security Extension Crashing Frequently When Handling ES_EVENT_TYPE_AUTH_OPEN
First post date Last post date
 
 
Q