Post

Replies

Boosts

Views

Activity

EnpointSecurity System Extension is crashing in macOS Sonoma
Hi All, We have Endpoint Security System Extension. We are facing an issue in macOS Sonoma only where we have found that open() API is not returning any response when we try to open the files and OS killing/crashing the extension. We have found in log streaming below lines for our extension: error 12:50:51.093673+0530 tccd Failed to create LSApplicationRecord for file:///Library/SystemExtensions/3378971F-D41D-4230-A887-E0DC0F61E98D/com.*.sysextcontainer.onlineext.systemextension/: 'The operation couldn’t be completed. (OSStatus error -10811.)' It seems internally some access is removed by apple on booting however we can still see our extension has Full Disk Access in System Settings. We have installed new macOS Sequoia Public beta 24A5289h and above issue is not observed and also issue not seen in previous OS(Big Sur, Monterey, Ventura) and seen only in Sonoma. We already have filed a Feedback : FB13806349 ... Thanks & Regards, Mohmad Vasim
1
0
525
Jul ’24
EndPointSecurity system extension crashing due to deadline
Hi , Greetings of the day! I would like to get help to avoid the Endpoint Security System Extension crash due to below reason: Termination Reason: Namespace ENDPOINTSECURITY, Code 2 EndpointSecurity client terminated because it failed to respond to a message before its deadline Couple of events we have subscribed and for AUTH related events we are receiving deadline of 14 seconds in Sonoma and to avoid above issue we have implemented a queue to provide verdict within the deadline to avoid the OS killing of our extension however sometime we observe that we are getting crash with below message: Termination Reason: Namespace ENDPOINTSECURITY, Code 2 EndpointSecurity client terminated because it failed to respond to a message before its deadline **Dispatch Thread Soft Limit Reached: 64** (too many dispatch threads blocked in synchronous operations) There is no GCD API to check whether queue is reached to soft limit so we need help here to know or check whether queue is reached to soft limit 64. if we can check above then we should avoid adding the new tasks in it until its free to accept the tasks. And for NOTIFY_CLOSE, we are getting big value in seconds as deadline however we are adding all the processing of NOTIFY_CLOSE with dispatch_async however still receiving the crash. Here is code for AUTH_OPEN : dispatch_queue_t gNotifyCloseQueue = dispatch_queue_create( "com.example.notify_close_queue", dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL, QOS_CLASS_UTILITY, 0)); dispatch_queue_t gAuthOpenQueue = dispatch_queue_create("com.example.auth_open_queue",dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL,QOS_CLASS_USER_INTERACTIVE, 0)); BOOL AuthOpenEventHandler(es_message_t *pesMsg) { //Some Processing we are doing here like Calculate the deadline in seconds etc. and we are receiving 14 seconds in Sonoma // deadline - 14 seconds if ( deadlineInSeconds < 10 ) { dispatch_time_t triggerTime = dispatch_time(pesMsg->deadline, (int64_t)(-1 * NSEC_PER_SEC)); __block es_message_t *pesTempMsg; pesTempMsg = es_copy_message(pesMsg); dispatch_after(triggerTime, gAuthOpenQueue, ^{ if (pesTempMsg != NULL) { esRespondRes = es_respond_flags_result(pesClt,pesMsg,pesMsg->event.open.fflag,false); if(ES_RESPOND_RESULT_SUCCESS != esRespondRes) { es_free_message(pesTempMsg); return; } if (pesTempMsg != NULL) { es_free_message(pesTempMsg); } } return; }); } // Some Processing we are doing here to provide verdict and we are making sure that within 11 seconds we are setting the verdict // we are setting iRetFlag here based on verdict if (NULL != pesMsg) { esRespondRes = es_respond_flags_result(pesClt,pesMsg,iRetFlag,false); if(ES_RESPOND_RESULT_SUCCESS != esRespondRes) { es_free_message(pesMsg); return FALSE; } } return TRUE; } Here is the code for NOTIFY_CLOSE: BOOL NotifyEventHandler(es_message_t *pesMessage) { if (pesMessage->event_type == ES_EVENT_TYPE_NOTIFY_CLOSE && YES == pesMessage->event.close.modified) { __block es_message_t *pesTempMsg; pesTempMsg = es_copy_message(pesMessage); dispatch_async(gNotifyCloseQueue, ^{ // Performing Some processing on es_message_t if (pesTempMsg != NULL) { es_free_message(pesTempMsg); } }); if (pesMessage != NULL) { es_free_message(pesMessage); } } else { es_free_message(pesMessage); } return TRUE; } It would be helpful if someone help us to identify what could be wrong we are doing in above code and how to address/solve those problems (code snippet would be helpful) to avoid all possible crashes. ... Thanks & Regards, Mohamed Vasim
1
0
601
Jul ’24
Getting error OSSystemExtensionErrorDomain error 1 (OSSystemExtensionErrorUnknown)
Hi, We would like to get to know what are the possible reasons my container app OSSystemExtensionRequestDelegate is generating this error while trying for activation of Endpoint Security extensions and how we can address those cases so that we will solve this. I have verified and found container app along with extensions are code signed and having entitlements. I am using XCode 11.3.1 and macOS Catalina 10.15.3 (SIP disabled). Thanks & Regards, Mohmad Vasim
2
0
1.6k
Sep ’20
Intermittently browser is getting disconnected with NetworkExtension
Hi, Greetings for the day! We would like to update you that we have created Content Filter NetworkExtension and this extension is working fine till Big Sur M1 however we are facing some strange problem in M1 Monterey. Intermittently, When we try to browse websites, it does not respond and after 3-5 minutes its opened the websites correctly. We would like to update you that our subclass overrides handleNewFlow, handleInboundDataFromFlow, handleOutboundDataFromFlow, handleInboundDataCompleteForFlow and handleOutboundDataCompleteForFlow. In all these methods we first check whether NEFilterFlow is nil or not and then pauseVerdict and once asynchronous methods completes execution then we call resumeFlow with verdict (allowVerdict/dropVerdict). When above mentioned issue generated we collected console streaming log and found these lines in the logs (Not from our application): Ignoring resume command for flow 3c8faf3c4a9f7 which does not exist Ignoring resume command for flow 3c90795d4d6f9 which does not exist Ignoring resume command for flow 3c9086d1ede69 which does not exist Ignoring resume command for flow 3c909b251d53b which does not exist We are not sure how above line get printed because we don’t have this logs in our source code so we would need your help to understand this problem and resolution so that we can solve this issue. We have couple of extra queries: What is flow mentioned in above logs in bold text? Is it NEFilterFlow's identifier or something else? How we can validate whether NEFilterFlow is valid or not before calling resumeFlow Why above line is getting printed in log which says flow does not exist. Is there any timeout maintained by NetworkExtension? We are using XPC for interprocess communication so our question is that, Is NetworkExtension/XPC maintain the queue size and if it overflow the size then above line is getting printed. If this is the case then how we can handle that? Is it known issue in NetworkExtension framework itself on M1 Monterey? Thanks & Regards, Mohmad Vasim
13
0
2.4k
Apr ’22
nw_connection_receive / nw_connection_send is not working as we expect
Hi All, We are trying to build demo tool by using Network framework API. Here is the code in Objective-c: // //  main.m // #import &amp;lt;Foundation/Foundation.h&amp;gt; #import &amp;lt;Network/Network.h&amp;gt; char *hostname = ""; char *port = ""; nw_connection_t serverConnection; void stopConn() {    nw_connection_cancel(serverConnection); } void connectionDidEnd(NSError *error) {     NSLog(@"connectionDidEnd: %@", [error localizedDescription]);     stopConn(); } void connectionDidFail(NSError *error) {     NSLog(@"connectionDidFail: %@", [error localizedDescription]);     stopConn(); } void connectionReady(nw_connection_t connection) {     NSString *data = @"somedata";     NSData *rawData = [data dataUsingEncoding:NSUTF8StringEncoding];     nw_connection_send(connection, (dispatch_data_t _Nonnull)rawData, NW_CONNECTION_DEFAULT_MESSAGE_CONTEXT, FALSE, ^(nw_error_t  _Nullable error)     {         if (error != NULL)         {             NSLog(@"connection did send Failed.");             connectionDidFail((NSError*)error);             return;         }             NSLog(@"connection did send, data: %@",[[NSString alloc] initWithData:rawData encoding:NSUTF8StringEncoding]);     }); } void setupReceive(nw_connection_t connection) {     nw_connection_receive(connection, 1, 65536, ^(dispatch_data_t  _Nullable content, nw_content_context_t  _Nullable context, bool is_complete, nw_error_t  _Nullable error) {         nw_retain(context);         if (content != NULL)         {             NSString *data = [[NSString alloc] initWithData:(NSData*)content encoding:NSUTF8StringEncoding];             NSLog(@"setupReceive: Receive Data = %@",data);         }         if (is_complete) {             connectionDidEnd((NSError*)error);         } else if (error != NULL) {             connectionDidFail((NSError*)error);         } else {             setupReceive(connection);         }     }); } int main(int argc, const char * argv[]) {     @autoreleasepool {         nw_endpoint_t endpoint = nw_endpoint_create_host(hostname, port);         serverConnection = nw_connection_create(endpoint, nw_parameters_create_secure_tcp(NW_PARAMETERS_DEFAULT_CONFIGURATION, NW_PARAMETERS_DEFAULT_CONFIGURATION));         nw_retain(serverConnection);         nw_connection_set_queue(serverConnection, dispatch_get_main_queue());           nw_connection_set_state_changed_handler(serverConnection, ^(nw_connection_state_t state, nw_error_t  _Nullable error) {             switch (state) {                 case nw_connection_state_invalid:                     NSLog(@"Invalid");                     break;                 case nw_connection_state_waiting:                     NSLog(@"waiting");                     break;                 case nw_connection_state_preparing:                     NSLog(@"Preparing");                     break;                 case nw_connection_state_ready:                     NSLog(@"Client connection ready");                     connectionReady(serverConnection);                     break;                 case nw_connection_state_failed:                     NSLog(@"FAILED...");                     connectionDidFail((NSError*)error);                     break;                 case nw_connection_state_cancelled:                     connectionDidEnd((NSError*)error);                     NSLog(@"connection cancelled");                     break;                 default:                     NSLog(@"Unknown State = %d",state);                     break;             }         });         setupReceive(serverConnection);         nw_connection_start(serverConnection);         dispatch_main();     }     return 0; } Above code is not able to send command to server and always we receive below error nw_protocol_boringssl_write_frames_block_invoke(892) [C1:1][0x1040682a0] Failed to allocate buffer for external data Please let us know if we are doing anything wrong here. Thanks &amp;amp; Regards, Mohmad Vasim
11
0
2.3k
Aug ’22
How to enable Connection Doctor in Mail application before adding account in it
Hi, We would like to know if there is any way to enable Connection Doctor logs before adding any account into Mail application. Mail application's "Connection Doctor" menu is only visible after adding the account successfully in it. Or if there is any way to capture the Mail application Connection logs , it would be appreciated. I have tried below command however it does not showing the connection logs, its logging some Core Data related stuff. System/Applications/Mail.app/Contents/MacOS/Mail -LogActivityOnPort 110 Thanks & Regards, Mohmad Vasim
0
0
462
Aug ’22
SSLRead generating errSSLDecryptionFail when performing SSL POP3 RETR command
Hi , We are new to implementing SSL POP3 communication using port 995. We have installed HMailServer and created account and trying to communicate through POP3 SSL. We have used Security framework API to make client and server handshake and after that we are making CAPA , USER, PASS , STAT, LIST command and once we get the list of messages with size , we are initiating RETR 1, 2 .... RETR command sometimes fails randomly on certain emails giving error errSSLDecryptionFail. Sometime RETR 1 processed correctly and when we are trying to fetch RETR 2 then SSLRead is generating error as errSSLDecryptionFail. As per error description errSSLDecryptionFail : invalid data coming from the remote host, a damaged crypto key, or insufficient permission to use a key that is stored in the keychain. We would like to know how to verify above error conditions to identify the issue. I would like to update that when it again make handshake and then at that time RETR 2 is getting succeeds but other RETR is failing with same error. (other RETR meaning RETR 5 etc.) So please help us to know how we can identify the root-cause and how we can fix it. Is there any Sample that we can use to identify the issue and solve it. Thanks &amp; Regards, Mohmad Vasim
5
0
1.4k
Jul ’22
SystemExtension is not getting activated - OSSystemExtensionErrorCodeSignatureInvalid = 8
Hi, Greetings for the day, We would like to update you that we have started facing one strange problem in macOS Monterey 12.4(M1&Intel) where our system extension is not getting activated, we are getting below error: OSSystemExtensionErrorCodeSignatureInvalid = 8 However I would like to update you that same build is working in other Mac system without any error. We have checked the code sign and notarisation of our system extension container app and found its code signed and notarised too. /Applications/*.app: accepted source=Notarized Developer ID we would request to please help us to know why its getting triggered and how we can resolve it. Thanks & Regards, Mohmad Vasim
3
0
1.3k
Jul ’22
IOStorageFamily in DriverKit
Hi, I would like to update that we have a kext that has IOStorageFamily in OSBundleLibraries. I would like to know whether we can create DriverKit that support this family and embed in SystemExtension for deployment? and we have another kext that has combination of IOStorageFamily and IOUSBFamily in OSBundleLibraries. Please let me know whether such type of Kext can be converted into DriverKit. I am new to DriverKit development. Please let us know if there is any sample that has these bundles in DriverKit so that I can check. Please let us know if such are supported with DriverKit then what are the capabilities that we need to add in entitlement request so that it can get approved. Thanks & Regards, Mohmad Vasim
0
0
931
Jul ’21
Files are getting attached when we open gmail.com in Safari app
Hi, I am trying to create a system extensions and using that I need to block certain file types(pdf etc.) to get attached in Safari application. For this, I have created endpoint client and subscribed ES_EVENT_TYPE_AUTH_OPEN events and in handler I am checking the certain file types and trying to block those files in attaching into Safari application(gmail.com) by providing the verdict using es_respond_flags_result. However I can see that there is no ES_EVENT_TYPE_AUTH_OPEN event triggered in case of Safari, when we open gmail.com and try to attach the file. In case of Chrome, ES_EVENT_TYPE_AUTH_OPEN events are triggered when we open gmail.com and trying to attach the files and we are able to provide verdict for chrome. But if drag and drop file in Safari browser then we are getting ES_EVENT_TYPE_AUTH_OPEN and able to provide verdicts. Need your help to know whether I am following correct steps to block those file types in Safari application(gmail.com attachment) or there is any other way to achieve the desired functionality or its bug in Safari application as it’s not working with Endpoint security API with the specified scenario. Your early help will be appreciated. Thanks &amp; Regards, Mohmad Vasim
0
0
815
Apr ’21
Files are getting attached with zero size in Mail Application even files are blocked by Endpoint Client
Hi, I am trying to create a system extension and with the help of that I need to block certain file types(pdf etc.) to get attached in Mail application while composing email. For this, I have created endpoint client and subscribed ES_EVENT_TYPE_AUTH_OPEN event and in handler, I am checking the certain file types and trying to block those files in attaching into Mail application by providing the verdict using es_respond_flags_result . However I can see that file types are blocked(because its sending as 0 bytes file size) but at the same time file is getting attached in Mail application and I can send email with the file attached but once I received the email and trying to open the attachment, Its not able to open the file. It says “The file “SamplePdf.pdf” could not be opened because it is empty.” Need your help to know whether I am following correct steps to block those file types in Mail application or there is any other way to achieve the desired functionality or its bug in Mail application as it’s not working with Endpoint security API's verdict. Your early help will be appreciated. Thanks & Regards, Mohmad Vasim
2
0
992
Dec ’20
ES_EVENT_TYPE_NOTIFY_CREATE event for new zip file creation
Hi, I am implementing a feature to detect whenever a new zip file created in folder with EndpointSecurity API event ES_EVENT_TYPE_NOTIFY_CREATE however this event is not triggered when we compress a folder for "zip" file. It's captured in ES_EVENT_TYPE_NOTIFY_OPEN but that also triggered when just select any existing zip file so we can not distinguish between new and existing if I use ES_EVENT_TYPE_NOTIFY_OPEN . Let's say I have folder "test" and inside it there are several files and once we compress the folder "test" using mouse right click >> Compress "test". It will create "test.zip" in the same directory where "test" folder resides. test.zip file is new file created based on compression so it should be captured with ES_EVENT_TYPE_NOTIFY_CREATE . Please help me to detect the zip file creation event with EndPoint Security API. Any sample or reference would be helpful.
2
0
1k
Oct ’20
How to enable sandboxing in framework
Hi,I have created a macOS framework using XCode 11.4.1 with swift and would like to enable sandboxing in framework however XCode is saying that Capabilities are not supported for "*" . Please see the below screenshot for more information.Please let me know my framework is store compatible with regards to sandboxing if not then how I can enable the sandboxing in framework(Framework uses CoreWLAN , Security and System Configuratuion framework APIs).OrmacOS application which is going to integrate my framework, must enabled sandboxing for App Store compatibility....Thanks &amp; Regards,Mohmad Vasim
1
0
1.1k
Apr ’20
Check if normal website links maps to the Apple.news article/feed
Hi,I am creating an macOS application for checking whether website URL is associated with Apple News URL.Is there any way to understand whether any webpage link publish to Apple News? and if published then how to get Apple News link.There is a way to get the Original Website URL from Apple News link by loading the Apple News URL through URLSession and parsing the html contents and retriving the "redirectToUrlAfterTimeout" value and this link we can open in browser to view the same contents.However I would like to know is there any way(code or framework) that will help me to get the Apple News URL from Original Website URL....Thanks &amp; Regards,Mohmad Vasim
0
0
624
Feb ’20
Can we execute arp command through Process class in swift
I would like to execute (arp -a) command to get the all connected device IP address and MAC Address and I did by using Process class in swift however I would like to check whether that app will be store compatible.Another query related to same concerns:Whether our app will be accepted by Apple Store(will be store compatible) if executes other commands to utilize the output in our macOS app.
0
0
1k
Feb ’20