I try to mix content filter and endpoint security in one system extension, but get error below when the program invoke es_new_client(returned ES_NEW_CLIENTRESULT_ERR_INTERNAL). Failed to open services: 0xe00002e2: Caller was denied connecting to the ES subsystem, possibly due to a sandbox violation. how to solve this error while keeping two functionalities in one system extension? or I have to seperate them?

hi, all I subscribe AUTH_SIGNAL event with ESF. and test if it can prevent Activity Monitor from killing processes in the list below. I can stop "Force Quit"(sigkill) to all five processes, but "Quit"(sigterm?) to four processes except "Typora". I'm pretty sure that I didn't get a signal event when I used Activity Monitor to "Quit" typora. how Activity Monitor "Quit" the "Typora"? it looks like the Activity Monitor "Quit" the App Process with a different way(not through sending signal).

hi all, i wrote my tool app using ObjC++, find some problems while messing with "locale". here's the problems: I invoke a C++ function, std::string ws2s(const std::wstring& ws) { if (ws.empty()) return ""; NSLog(@"%s %s", setlocale(LC_ALL, NULL), std::locale().name().c_str()); ... output is "C C", and i try to set locale to "zh_CN.UTF8", but it's still "C". another is an Objc Class Method + (NSString*)getNSStrFromWCharStr:(const wchar_t*)wcstr { if (wcstr == NULL) return nil; char *curLocale = setlocale(LC_ALL, NULL); ... this time, curLocale is the same as system default ——"zh_CN.UTF8" I try to set locale in main function, first one succeed, second made process crash. setlocale(LC_ALL, "zh_CN.UTF-8"); std::locale::global(std::locale("zh_CN.UTF8")); crash info:libc++abi: terminating due to uncaught exception of type std::runtime_error: collate_byname::collate_byname failed to construct for zh_CN.UTF8 after all this, it's OK to handle CN character with C and objc, but it's not OK with C++. and I'm confused, I don't know much about 'locale'. I thought it was a per-process setting, now it seems to be a per-language setting... OS version: macOS 14.4, system default locale is "zh_CN.UTF8".

background info: I dispatch async task to main queue in an es_handler_block_t(client subscribe open, create, exit, close events and mute all processes except DesktopServicesHelper). crash happened kinda randomly. most likely to happen when I copy a folder(contains a lot of files) in a volume to another volume. here's the crashed part of the diagnostic report . Thread 9 Crashed:: Dispatch queue: com.apple.main-thread 0 libsystem_kernel.dylib 0x18c6e2a60 __pthread_kill + 8 1 libsystem_pthread.dylib 0x18c71ac20 pthread_kill + 288 2 libsystem_c.dylib 0x18c627a20 abort + 180 3 libc++abi.dylib 0x18c6d1d30 abort_message + 132 4 libc++abi.dylib 0x18c6c1fe8 demangling_terminate_handler() + 348 5 libobjc.A.dylib 0x18c3601d0 _objc_terminate() + 144 6 libc++abi.dylib 0x18c6d10f4 std::__terminate(void (*)()) + 16 7 libc++abi.dylib 0x18c6d1098 std::terminate() + 108 8 libdispatch.dylib 0x18c56a3fc _dispatch_client_callout + 40 9 libdispatch.dylib 0x18c571a14 _dispatch_lane_serial_drain + 748 10 libdispatch.dylib 0x18c572578 _dispatch_lane_invoke + 432 11 libdispatch.dylib 0x18c57bea8 _dispatch_root_queue_drain + 392 12 libdispatch.dylib 0x18c57c6b8 _dispatch_worker_thread2 + 156 13 libsystem_pthread.dylib 0x18c716fd0 _pthread_wqthread + 228 14 libsystem_pthread.dylib 0x18c715d28 start_wqthread + 8 Thread 9 crashed with ARM Thread State (64-bit): x0: 0x0000000000000000 x1: 0x0000000000000000 x2: 0x0000000000000000 x3: 0x0000000000000000 x4: 0x000000018c6d62cb x5: 0x000000016c1eed20 x6: 0x000000000000006e x7: 0x0000000000000000 x8: 0x851ef9fdee51098d x9: 0x851ef9fc824ff98d x10: 0x0000000000000200 x11: 0x000000000000000b x12: 0x0000000000000000 x13: 0x00000000001ff800 x14: 0x00000000000007fb x15: 0x00000000a5a0204e x16: 0x0000000000000148 x17: 0x00000001fe792c30 x18: 0x0000000000000000 x19: 0x0000000000000006 x20: 0x000000016c1ef000 x21: 0x0000000000004003 x22: 0x000000016c1ef0e0 x23: 0x000000016c1ef0e0 x24: 0x00000001f442b6a8 x25: 0x0000000000000000 x26: 0x0000000000000000 x27: 0x0000600003664800 x28: 0x0000000000000000 fp: 0x000000016c1eec90 lr: 0x000000018c71ac20 sp: 0x000000016c1eec70 pc: 0x000000018c6e2a60 cpsr: 0x40001000 far: 0x0000000000000000 esr: 0x56000080 Address size fault

hi! I know endpoint security sysext with earlyboot property key enabled will run before all other applications run while system booting. presume all these are done before earlyboot time out: sysext run it's host app, host app notify sysext to subscribe some events through xpc, then other apps start runing. though this whole process seems to violate "sysext runs before all other applications run"... I still wonder is this possible?

Hi, all! my plan here: an app, an app-like deamon inside the app, an systemextension inside the app-like deamon, grant system extension installation entitlement to deamon and embed a relavent provisioning profile in it. user run app, app run deamon, deamon install extension. is it doable?

hi all. I subscribe the notify write event, every time I recieve a notify write event message i will send log data and reply block(didn't do nothing) with async method to host app(Objc XPC API).host app will reply immediately once it recieves data. after a while my sysext crashed, then I checked system log find the log below. launchd: exited with exit reason (namespace: 30 code: 0xc40000000004aaaa) - (unknown reason) is it because of exceeding the maximum limit of xpc's block queue length, or too many memory allocation, or... by the way, host app didn't crash. how this happened exactly? how could i solve it?

i'd like to set up an app proxy server at local to resolve contents in mail protocols with SSL/TLS. using VPN(App Proxy Provider only support HTTP?) to tunnel flows about mail protocols to proxy server seems impracticable system configuration only supports HTTP and FTP? is there a way to set a Mail Protocols Proxy at system Level? or is there a way to route all transport layer flows(not only particular Application layer protocol) to proxy server?

hi,all readBytes: An NSData object containing the data to filter. For non-UDP/TCP flows, since the data may optionally include the IP header, readBytes includes a 4-byte NEFilterDataAttribute field preceding the user data. Your handler must examine the NEFilterDataAttribute field and handle the data accordingly. the param above in method handleInboundDataFromFlow:readBytesStartOffset:readBytes: i assume it contains a 4-byte NEFilterDataAttribute field preceding the user data all the time, is it normal that i get a NEFilterDataAttribute: 1099782776645(and some other very big number) const NEFilterDataAttribute* dataAttr = readBytes.bytes; NSLog(@"NEFilterDataAttribute: %ld",*dataAttr); and after the initial 4 bytes, if the offset param is 0, can i assume that UDP/TCP or IP packet headers can be extracted from the data?

new to Apple, MacOS, SystemExtensions. I don't see anything about my topic in system extensions documentation. should I use XPC? or we have a better way here?