I have two privileged service(s) and a desktop app. The privileged services are packaged into /Library/*** and are run using launchd at runtime. The desktop app is just dropped into /Applications.
The desktop app connects to one of the services (let's say service "B") via XPC. That is, B is running an XPC listener (using libxpc). Both applications are written in golang with xpc interaction via CGO.
This is all working fine: The desktop app is receiving notifications over XPC from service B. However, during our build we dump the built and signed apps (before .pkg'ing) into a dist folder. When we run the app (using a makefile target), we copy the services from dist to another location as root, then execute the binaries directly. This is problematic for the desktop app, because my understanding is that XPC requires launchd to assert the namespace it's under. Thus, when service B is launched this way, it says "operation not permitted." We also want to reserve the ability to run a production version of our app on the same machine (drink our own champagne and all that), and I would like to avoid having development versions running on startup, so I don't want to use the same launch configurations.
MacOS is one of three platforms we support (linux, windows as well). Our IPC implementation under MacOS uses XPC via golang build tags.
Questions:
Is it possible to start the XPC server without using launchd, or by using launchd but without registering it as an actual service?
Is this a use case where using a unix domain socket would be better (albeit i feel like securing the socket between the privileged / unprivileged process would be ... fun).
Additional / somewhat unrelated questions:
is it possible for me to somehow restrict another process from chatting with service B over XPC (restrict to my other desktop app)?
This is an app bundle question, so very unrelated: The service "app" that contains services A and B is in /Library, with the plist pointing to A, but B resides in Contents/MacOS next to A. Should this be split out into its own app bundle under Frameworks, or is this fine?
Core OS
RSS for tagExplore the core architecture of the operating system, including the kernel, memory management, and process scheduling.
Post
Replies
Boosts
Views
Activity
We developing a app called Parentgeenee. It's a Parental control app having any limitations on app block from child mobile. Trying to block more than 500 apps but not blocking if any particular method to block a bulk apps.
I want a user to be able to save a URL of a folder on a cloud share using the standard FileManager APIs. I'm testing with Dropbox in particular. The initial interaction is working (I can select a folder, save it as a bookmark, and scan the files in that folder). However, no changes made externally to the folder will be reflected in the app when I refresh the contents.
Launching the Files app and browsing to the folder DOES show the updated contents, and once that step is complete, then my app will again show up-to-date contents.
Is there perhaps some API I should be calling to trigger the Dropbox File Provider extension to update it's cache?
Sample project demonstrating issue: https://github.com/dhennessy/FolderScan
STEPS TO REPRODUCE
Launch the app on a physical device
Tap Choose, browse to folder on a Dropbox share, tap Open to select
The app will show the contents of the folder (the 'test' folder)
Switch to the Dropbox app and create a new subfolder of the test folder
Return to the test app and tap Refresh. Notice that the changes do not appear
Re-launching the app also does not show the changes
Workaround
Launch the Files app (or re-open the UIDocumentPickerViewController by tapping choose and then dismiss it)
Tap Refresh and the changes will appear in the app
Note: None of the other 'cloud file providers' (google drive, one drive, box) even allow the user to even select a folder.
When I'm using Endpoint Security to monitor the file creation behavior of Keynote, I've noticed that when I choose to export a Keynote file as an HTML file, ES only triggers the ES_EVENT_TYPE_NOTIFY_CREATE notification for the index.html file, and the ES_EVENT_TYPE_AUTH_CREATE is not triggered. I've double - checked my code many times, and I'm pretty sure there's no error in it. Does ES only call the notification event without calling the authorization event under certain circumstances? Or is this a bug in ES?
I'm writing some code, intended to be run on macOS (not IOS). My code could greatly benefit from using IOReport, which is an undocumented IOKit API for obtaining various metrics like energy consumption on an Apple processor. I don't plan to submit my program to the App Store, but I do plan on making the Git repo containing my code public.
My understanding is that using undocumented IOKit APIs is strictly forbidden for IOS or macOS applications intended to be made available on the App Store.
But what about programs not intended to be submitted to the App Store, like in my case?
I'm wondering if anybody knows what Apple's policy is regarding using undocumented APIs in such a way on macOS.
I have been trying to investigate some of the kernel crashes I have noticed on my IOS crash logs. Some of these are in device driver software for the peripheral interfaces.
Given that the driver code executes with kernel privileges, these kind of crashes leave the device vulnerable to remote code injection, with no user interaction required in some cases.
Crash Report from IOS 18.2.1
If Apple can provide the symbol table for IOS 18.2.1 blue tooth driver and source code, I can gladly help investigate this further.
I get the ApplicationSupportDirectory path like this:
let path = NSSearchPathForDirectoriesInDomains(.applicationSupportDirectory, .userDomainMask, true)[0] as String
however for FileProvider plugin it looks like:
/var/mobile/Containers/Data/PluginKitPlugin/.../Library/Application Support/rclone.conf
instead of what I get for an Application:
/var/mobile/Containers/Data/Application/.../Library/Application Support
I need a way to get the Application's Support Directory from the FileProvider plugin.
Is that possible? If not, what other shared location I could use to access shared file between these two?
Hi,
I need to write an application (possibly using C) to communicate with a USB High Speed Device CDC class I am developing, but unfortunately I have no development experience under Mac OS, so I am here to ask for a few help/advice. I hope I am in the right place.
Since I have a working code using libusb on Linux, I have first tried to use such lib on a Mac OS without success. The device is listed correctly using
ioreg -w0 -l -p
but it seems to be always busy:
MYUSBDEVICE@fa410000 <class IOUSBHostDevice, id 0x100001769, registered, matched, active, busy 0 (262 ms), retain 24>
in fact, attempting to use libusb always results in error:
LIBUSB_ERROR_NOT_FOUND
libusb_bulk_transfer: Entity not found
After searching a bit, I have read that it is impossible (?) to use libusb on MacOS.
Then I came across these following pages:
https://developer.apple.com/library/archive/documentation/DeviceDrivers/Conceptual/USBBook/USBDeviceInterfaces/USBDevInterfaces.html
https://developer.apple.com/documentation/usbdriverkit
I would possible avoid to write a CDC kernel driver for my application, so link #2 seems more appropriate to what I need.
But isn't it available any API to develop USB CDC communications C application on MacOS ?
Any suggestion is appreciated.
Thanks in advance.
Regards,
Simon
Can I launch all the launchAgents associated with a user before they log in? If so, is there an event or mechanism I can use or simulate to achieve this?
Is it possible to delay the login mechanism, till all the launchAgents are loaded.
Looking for guidance on how to approach this.
yesterday my Xcode app worked, I upgraded my Xcode and simulator today, but now i suddenly get:
error: the replacement path doesn't exist: "/var/folders/61/cs5w33tx7m92yq6t55h9w7k00000gn/T/swift-generated-sources/@__swiftmacro_6Fikser8FeedViewV4jobs33_842833018C1C855C625C2C0F4D027584LL5QueryfMa_.swift"
error: the replacement path doesn't exist: "/var/folders/61/cs5w33tx7m92yq6t55h9w7k00000gn/T/swift-generated-sources/@__swiftmacro_6Fikser8FeedViewV4jobs33_842833018C1C855C625C2C0F4D027584LL5QueryfMa_.swift"
error: the replacement path doesn't exist: "/var/folders/61/cs5w33tx7m92yq6t55h9w7k00000gn/T/swift-generated-sources/@__swiftmacro_6Fikser4UserC8username18_PersistedPropertyfMa_.swift"
error: the replacement path doesn't exist: "/var/folders/61/cs5w33tx7m92yq6t55h9w7k00000gn/T/swift-generated-sources/@__swiftmacro_6Fikser4UserC8username18_PersistedPropertyfMa_.swift"
error: the replacement path doesn't exist: "/var/folders/61/cs5w33tx7m92yq6t55h9w7k00000gn/T/swift-generated-sources/@__swiftmacro_6Fikser4UserC8username18_PersistedPropertyfMa_.swift"
and i also get this:
objc[11474]: Class AKBiometricRatchetUtility is implemented in both /Library/Developer/CoreSimulator/Volumes/iOS_22C150/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS 18.2.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/AuthKitUI.framework/AuthKitUI (0x12ff2d898) and /Library/Developer/CoreSimulator/Volumes/iOS_22C150/Library/Developer/CoreSimulator/Profiles/Runtimes/iOS 18.2.simruntime/Contents/Resources/RuntimeRoot/System/Library/PrivateFrameworks/AuthKit.framework/AuthKit (0x114a0b1f0). One of the two will be used. Which one is undefined.
``` can it be that they are some how relatet? Or what else can it be?
I have tried to delete derrieved data, clean folder eg.
I am having difficulty getting my container app with an embedded endpoint security extension to work on a virtual Mac.
My virtual Mac has system integrity protection turned off. I have used spctl and System Settings to allow applications from anywhere.
I am using the development entitlement profile to sign my container app.
When I run my app, it crashes with Termination Reason: COODESIGNING 1 Taskgated Invalid Signature. I assume this has to do with the app being signed with my developer profile that contains a list of Macs that can run the software.
How can test my endpoint security extension on a virtual Mac?
Phenomenon
We've found operator new/delete override in iOS app, only works for the first time when the app launches on iOS16, operator override is not working in the second and subsequent launch of the same app.
Steps to reproduce
Development environment: XCode 16.2
Create a new iOS Objective-C project in XCode
In the project options page, choose the following settings:
Name the project: OverrideNew
Interface: Storyboard
Language: Objective-C
Testing System: None
Add test code
Change AppDelegate.m's file name to AppDelegate.mm to add the following C++ test code.
Add the following code after #import "AppDelegate.h"
#include <os/log.h>
#include <string>
static bool needLog = false;
void* operator new(size_t size) {
void* ptr = malloc(size);
if(needLog) {
// Log to prove override new works
os_log_error(OS_LOG_DEFAULT, "Overrided new called. ptr: %p\n", ptr);
}
return ptr;
}
void operator delete(void* ptr) noexcept {
free(ptr);
if(needLog) {
// Log to prove override delete works
os_log_error(OS_LOG_DEFAULT, "Overrided delete called. ptr: %p\n", ptr);
}
}
void StringConstructTest(void) {
needLog = true;
os_log_error(OS_LOG_DEFAULT, "Enter StringConstructTest1\n");
{
std::string str;
// a long string will trigger memory allocation on heap
str = "Hello world and this is a long string.\n";
os_log_error(OS_LOG_DEFAULT, "%{public}s\n", str.c_str());
}
os_log_error(OS_LOG_DEFAULT, "Exit StringConstructTest1\n");
needLog = false;
}
Call StringConstructTest() in didFinishLaunchingWithOptions method:
- (BOOL)application:(UIApplication *)application didFinishLaunchingWithOptions:(NSDictionary *)launchOptions {
// Override point for customization after application launch.
StringConstructTest();
return YES;
}
Change build settings
Change Minimum Deployments: iOS 16.
Build and run the project on an iOS16 device, emulator can not reproduce the problem.
Observe logs in Console app on Mac
Use the following log filters:
message type: error
process: OverrideNew
First launch
First launch on device(not from a XCode debug launch), the log is:
Enter StringConstructTest1
Overrided new called. ptr: 0x281f2f450
Hello world and this is a long string.
Overrided delete called. ptr: 0x281f2f450
Exit StringConstructTest1
"Overrided new called" proved the override new operator is called.
Second and subsequence launch
Second and subsequence launch on device(not from a XCode debug launch), the log is:
Enter StringConstructTest1
Hello world and this is a long string.
Exit StringConstructTest1
No log for "Overrided new called", the subsequence launch, the override operator new is not called anymore.
Expected behavior
For every app launch, log "Overrided new called" will happen and operator override works.
On iOS16, operator override only works for the first launch.
I've also tested on iOS18, operator override works every time as expected.
Question
Is there a way to force operator override works every time on iOS16?
I am developing an App that will enable voice calls between users through webrtc. When the user opens the App and switches the App to the background, the user will receive the incoming call notification through Silent Push Notifications (not PushKit).
My question is as follows,
If set UIBackgroundModes to voip and do not use PushKit and CallKit, will this cause the background App to be unable to use webrtc voice calls (requires network, microphone, and audio permissions)?
Can I set UIBackgroundModes = audio combined with AVAudioSession playAndRecord instead of setting UIBackgroundModes to voip, so that I can use the microphone and audio in the background to implement webrtc voice calls?
Thanks for your help.
My question is: Do I need two App IDs? One for my launch daemon in order to sign it properly, allowing it to use the Endpoint Security framework. One for the container app.
My understanding is that my existing launch daemon can perform the endpoint security requirements I need. So far, I have had just one App ID for my container app that lives in /Applications.
I have applied for the endpoint security restricted entitlement and have this for development now.
Do endpoint security items have go in Library/SystemExtension? Can my launch daemon live in Library/LaunchDaemons and still use the Endpoint Security framework?
For a component operating as a peripheral in a BLE connection, is it possible to tell if the user taps "Cancel" in the system's pairing request dialog?
None of the methods in CBPeripheralManagerDelegate appear to apply.
Hi.
I am facing a panic in distributed virtual filesystem of my own making.
The panic arises on attempt of copying a large folder, or writing a large file (both around 20gb).
An important note here is that the amount of files we try to copy is larger than available space (for testing purposes, the virtual file system had a capacity of 18 gigabytes).
The panic arises somewhere on 12-14gigabytes deep into copying. On the moment of panic, there are still several gigabytes of storage left.
The problem is present for sure for such architectures and macOS versions:
Sonoma 14.7.1 arm64e
Monterey 12.7.5 arm64e
Ventura 13.7.1 intel
Part from panic log from Ventura 13.7.1 intel, with symbolicated addresses:
panic(cpu 2 caller 0xffffff80191a191a): watchdog timeout: no checkins from watchdogd in 90 seconds (48 total checkins since monitoring last enabled)
Panicked task 0xffffff907c99f698: 191 threads: pid 0: kernel_task
Backtrace (CPU 2), panicked thread: 0xffffff86e359cb30, Frame : Return Address
0xffffffff001d7bb0 : 0xffffff8015e70c7d mach_kernel : _handle_debugger_trap + 0x4ad
0xffffffff001d7c00 : 0xffffff8015fc52e4 mach_kernel : _kdp_i386_trap + 0x114
0xffffffff001d7c40 : 0xffffff8015fb4df7 mach_kernel : _kernel_trap + 0x3b7
0xffffffff001d7c90 : 0xffffff8015e11971 mach_kernel : _return_from_trap + 0xc1
0xffffffff001d7cb0 : 0xffffff8015e70f5d mach_kernel : _DebuggerTrapWithState + 0x5d
0xffffffff001d7da0 : 0xffffff8015e70607 mach_kernel : _panic_trap_to_debugger + 0x1a7
0xffffffff001d7e00 : 0xffffff80165db9a3 mach_kernel : _panic_with_options + 0x89
0xffffffff001d7ef0 : 0xffffff80191a191a com.apple.driver.watchdog : IOWatchdog::userspacePanic(OSObject*, void*, IOExternalMethodArguments*) (.cold.1)
0xffffffff001d7f20 : 0xffffff80191a10a1 com.apple.driver.watchdog : IOWatchdog::checkWatchdog() + 0xd7
0xffffffff001d7f50 : 0xffffff80174f960b com.apple.driver.AppleSMC : SMCWatchDogTimer::watchdogThread() + 0xbb
0xffffffff001d7fa0 : 0xffffff8015e1119e mach_kernel : _call_continuation + 0x2e
Kernel Extensions in backtrace:
com.apple.driver.watchdog(1.0)[BD08CE2D-77F5-358C-8F0D-A570540A0BE7]@0xffffff801919f000->0xffffff80191a1fff
com.apple.driver.AppleSMC(3.1.9)[DD55DA6A-679A-3797-947C-0B50B7B5B659]@0xffffff80174e7000->0xffffff8017503fff
dependency: com.apple.driver.watchdog(1)[BD08CE2D-77F5-358C-8F0D-A570540A0BE7]@0xffffff801919f000->0xffffff80191a1fff
dependency: com.apple.iokit.IOACPIFamily(1.4)[D342E754-A422-3F44-BFFB-DEE93F6723BC]@0xffffff8018446000->0xffffff8018447fff
dependency: com.apple.iokit.IOPCIFamily(2.9)[481BF782-1F4B-3F54-A34A-CF12A822C40D]@0xffffff80188b6000->0xffffff80188e7fff
Process name corresponding to current thread (0xffffff86e359cb30): kernel_task
Boot args: keepsyms=1
Mac OS version:
22H221
Kernel version:
Darwin Kernel Version 22.6.0: Thu Sep 5 20:48:48 PDT 2024; root:xnu-8796.141.3.708.1~1/RELEASE_X86_64
The origin of the problem is surely inside my filesystem. However, the panic happens not there but somewhere in watchdog. As far as I can tell, the source code for watchdog is not available for public.
I can't understand what causes the panic.
Let's say we have run out of space. Couldn't write data. Writing received a proper error message and aborted. That's what is expected.
However, it is unclear for why the panic arises.
Is there a way to detect an incoming call with a React Native app? I have a fitness app and would like to pause the workout during the phone call.
When I set the option parameter to OSLogEnumeratorReverse, the iteration order of OSLogEnumerator is still from front to back in time
When I set the options parameter to 0 and the position parameter to the first 5 seconds of the current time, OSLogEnumerator can still iterate over the previous 5 seconds
#import "ViewController.h"
#import <OSLog/OSLog.h>
@interface ViewController ()
@property(strong, nonatomic)OSLogStore *logStore;
@property(strong, nonatomic)NSDateFormatter *formatter;
@end
@implementation ViewController
- (void)viewDidLoad {
[super viewDidLoad];
NSError *err = nil;
self.logStore = [OSLogStore storeWithScope:OSLogStoreCurrentProcessIdentifier error:&err];
if (!self.logStore || err) {
NSLog(@"error: %@", err);
NSAssert(0, @"");
}
self.formatter = [[NSDateFormatter alloc] init];
[self.formatter setDateFormat:@"[yyyy-MM-dd HH:mm:ss:SSS]"];
}
- (IBAction)addLog:(id)sender {
static int i = 0;
NSLog(@"[test] %@ this is a log with index:%d", [self.formatter stringFromDate:[NSDate date]], i++);
}
- (IBAction)printLogWithReverse:(id)sender {
NSError *err = nil;
NSPredicate *preeicate = [NSPredicate predicateWithFormat:@"composedMessage contains %@" argumentArray:@[@"[test]"]];
OSLogEnumerator *enumer = [self.logStore entriesEnumeratorWithOptions:OSLogEnumeratorReverse position:nil predicate:preeicate error:&err];
if (err) {
NSLog(@"enumer error:%@", err);
NSAssert(0, @"");
}
OSLogEntryLog *entry = nil;
while (entry = [enumer nextObject]) {
NSString *message = [entry composedMessage];
printf("log: %s\n", message.UTF8String);
}
}
- (IBAction)printLogWithPosition:(id)sender {
NSError *err = nil;
NSPredicate *preeicate = [NSPredicate predicateWithFormat:@"composedMessage contains %@" argumentArray:@[@"[test]"]];
NSDate *posDate = [NSDate dateWithTimeIntervalSinceNow:-5];
OSLogPosition *pos = [self.logStore positionWithDate:posDate];
OSLogEnumerator *enumer = [self.logStore entriesEnumeratorWithOptions:0 position:pos predicate:preeicate error:&err];
if (err) {
NSLog(@"enumer error:%@", err);
NSAssert(0, @"");
}
const char *now = [self.formatter stringFromDate:[NSDate date]].UTF8String;
const char *posStart = [self.formatter stringFromDate:posDate].UTF8String;
OSLogEntryLog *entry = nil;
while (entry = [enumer nextObject]) {
NSString *message = [entry composedMessage];
printf("log(now:%s, pos:%s): %s\n", now, posStart, message.UTF8String);
}
}
@end
The method of - (IBAction)printLogWithReverse:(id)sender print result not reversed by time.
log: [test] [2025-02-18 17:35:50:175] this is a log with index:0
log: [test] [2025-02-18 17:35:51:040] this is a log with index:1
log: [test] [2025-02-18 17:35:51:174] this is a log with index:2
log: [test] [2025-02-18 17:35:51:323] this is a log with index:3
log: [test] [2025-02-18 17:35:51:473] this is a log with index:4
log: [test] [2025-02-18 17:35:51:640] this is a log with index:5
log: [test] [2025-02-18 17:35:51:773] this is a log with index:6
log: [test] [2025-02-18 17:35:51:923] this is a log with index:7
The method of - (IBAction)printLogWithPosition:(id) print result should not contain the log from 5 seconds ago because I set the start time position in the position argument
[test] [2025-02-18 17:43:58:741] this is a log with index:0
[test] [2025-02-18 17:43:58:940] this is a log with index:1
[test] [2025-02-18 17:43:59:458] this is a log with index:2
[test] [2025-02-18 17:43:59:923] this is a log with index:3
log(now:[2025-02-18 17:44:51:132], pos:[2025-02-18 17:44:46:032]): [test] [2025-02-18 17:43:58:741] this is a log with index:0
log(now:[2025-02-18 17:44:51:132], pos:[2025-02-18 17:44:46:032]): [test] [2025-02-18 17:43:58:940] this is a log with index:1
log(now:[2025-02-18 17:44:51:132], pos:[2025-02-18 17:44:46:032]): [test] [2025-02-18 17:43:59:458] this is a log with index:2
log(now:[2025-02-18 17:44:51:132], pos:[2025-02-18 17:44:46:032]): [test] [2025-02-18 17:43:59:923] this is a log with index:3
We built a time verification feature as part of our iPadOS/iOS app where recording an accurate timestamp is part of a core feature of ours. We want to maintain integrity of recorded data, but our app must still be able to operate offline. To accomplish this, we established a baseline between the device's internal clock (CLOCK_MONOTONIC_RAW) and our servers via an initial network request. Once that baseline is established, we can reliably calculate the true time, or detect when a user may have tampered their device's time, especially while offline.
Of course, this baseline falls apart after the device reboots. We have been using kern.bootsessionuuid locally to detect when a device has rebooted so we know to wipe the baseline and try to establish a new one.
Unfortunately (I'm sure due to issues with device fingerprinting), Apple has removed access to kern.bootsessionuuid in iOS 18, silently and without warning. This has compromised the integrity of our feature. https://developer.apple.com/documentation/ios-ipados-release-notes/ios-ipados-18-release-notes#Deprecations
Is there any other way that our app can detect or be notified that a device reboot has occurred?
Alternatively, Google has just provided a "TrustedTime" API that looks to do the heavy lifting for what we have been solving ourselves. Would it be possible for Apple to provide a similar API?
https://android-developers.googleblog.com/2025/02/trustedtime-api-introducing-reliable-approach-to-time-keeping-for-apps.html
We would appreciate any guidance here. Thanks!
Hello,
We are developing a multimedia routing platform written in Rust and uses gstreamer 1.20. We are targeting running on Mac Minis (older intel and newer M1/2/3/... w/ 8GB ram) using macOS 14.6.1
I have profiled memory usage using XCode instruments with the allocation tool, stack and heap memory is very stable once the pipelines are up and running.
There are between 50 to 100 incoming RTSP streams with multiple webrtc connections, so lots of network and memory bandwidth is being used.
However, we eventually see real memory usage increasing in Activity Monitor along with memory pressure increasing, but the heap/stack usage is constant in instruments, so we do not understand this behavior. Page fragmentation is a possibility, but have not been able to prove this with instruments.
Please see attached image.You can see that 10-minute run had a total of approx 4.3 GB of allocations, but only 50.17MB persistent.
Eventually we see kernel panics in either userspace watchdog timeout: no successful checkins from WindowServer (2 induced crashes) in 120 second or apcie[2:lan-1gb]::handleCompletionTimeoutInterrupt: completion timeout which I believe are caused by high system load and the kernel becoming unresponsive while the kernel is doing page compressions. We tested running with je-malloc for a while, but the kernel panics still occur.
We have multiple kernel panic recordings available, but they are too large to upload here. We are also having multiple kernel panics per day while running this application.
Any suggestions on how to prevent these kernel panics? If the system is out of memory, shouldn't our application crash with an out-of-memory and the kernel should NOT panic?
Thanks,
Jeremy Prater