Post

Replies

Boosts

Views

Activity

Endpoint security extension installing but getting binary is improperly signed error
Hi, I have been trying to use the end point security extension. I am trying to build this through Xcode and build is successful. But when I install it the end point extension is throwing error saying that the binary is improperly signed. I am doing this in a developer environment, SIP is off and developer mode is on. I am able to see the system extension present when I run systemextension list. The provisional profile also contains the necessary entitlements. Error seen in system.log: removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Library/SystemExtensions/***   Code has restricted entitlements, but the validation of its code signature failed. Unsatisfied Entitlements:   Binary is improperly signed. Service only ran for 0 seconds. Pushing respawn out by 10 seconds.
5
0
1k
Mar ’21
Endpoint Security and Vnode_lookup
Hi, We have been using kauth_listen_scope KAUTH_SCOPE_VNODE. We are planning to start implementing end point security. Earlier as a part of auth_allow, we were using certain parameters from vnode structure to allow or deny an operation. What will be the alternative now in endpoint security? Or is it possible to have a kernel extension just to fetch the vnode of the file from the endpoint security application? Or is there a better way to proceed? Also is it possible to have kext and system extensions as a part of the same application? Thanks
3
0
888
Mar ’21
Network Extension is not running
Hi All, I am trying to do a small POC using network extension's content filter capability. It is just a simple application for listening to all inbound connections on a particular port. I am able to build the application using Xcode. Through the main application i am able to install the network extension as system extension and I am able to view the installed extension in systemextensionctl list. The problem is the I am not able to do anything after that , I don't think the extension is actually running. I am not able to see any logs in system.log. Few logs were present from devices log which indicate that the extension is running. The last log was Request to activate com.sample.xyz.NetworkExtension succeeded (0). Adding event subscription 930 for provider com.sample.xyz.NetworkExtension with extension point com.apple.networkextension.filter-data I gave some debug logs and none of them were printed. I have all entitlements in my provisional profile and if there was any code signing issue I guess it would have been present in system.log (atleast I assume) Thanks in advance.
6
0
2.4k
Apr ’21
Inbound Connections not getting identified as flow in Network Extension Content Filter
Hi all, I am trying to listen to all inbound connections. I had initially given the direction to be inbound in the filter rule and I was not able to see any flow. Then I made the filter to be more generic so that I am able to receive connection irrespective of its direction. After this change I am only able to see flow of outward connections. This is my filter code.         let anyHostAndPortRule = NENetworkRule(             remoteNetwork: nil,             remotePrefix: 0,             localNetwork: nil,             localPrefix: 0,             protocol: .TCP,             direction: .any         )         let filterRule = NEFilterRule(networkRule: anyHostAndPortRule, action: .filterData)         let filterSettings = NEFilterSettings(rules: [filterRule], defaultAction: .allow) Is there any changes to be made to the above code ? I am not able to see any inward flow. I tried setting up a server at particular port, when I had hit the endpoint I am not seeing any inward flow. Thanks in advance
5
0
757
Apr ’21
Unable to unmount smb volumes which are watched by FinderSync
Hi all, I am using finder sync extension to display icons on a given smb mounted volume. I am seeing that whenever findersync is watching a particular mounted volume and when I try unmounting it, the unmount always fails. I had to restart the machine to make sure that the volume is gone. It is particularly happening to only those volumes which are watched by the finder sync extension. The other volumes seem to work fine. I was thinking that the finder sync extension is not releasing the mounted volume, which maybe why the volume is unable to unmount. Is there any way to remove the watch gracefully and to make sure the unmount works fine? Thanks in advance
0
0
673
Jun ’21
Codesign does not set correct entitlements
Hi all, My project consists of main application, an endpoint security extension and a findersync extension. When I try to build it in release mode, the findersync extension is getting built with entitlements of the main app and not one of its own. I am not seeing this issue for endpoint security. I am signing using a "Developer ID Application" signing identity. When I look into the build logs I am seeing that --entitlement is used in code sign and the file which is passed as the argument also has the correct entitlement. When I tried manually running the codesign command with the --entitlement flag, I am still unable to get the correct entitlement. Is there any difference in the way the codesign happens for the system extension and findersync? What changes do I need to make in order to get the correct entitlement. Thanks in advanced
3
0
1.8k
Jun ’21
Endpoint security system extension crash
Hi all, I have been using the endpoint system extension for some months now. Recently when I had checked the crash logs, I found that within an hour there were a lot crashes reported. I am not able to make sense from the log. Here is the crash report Process: com.test.xyz.EndpointSecurityExtension [2851] Path: /Library/SystemExtensions/*/com.test.xyz.EndpointSecurityExtension Identifier: com.test.xyz.EndpointSecurityExtension Version: 1.1.0 (4) Code Type: X86-64 (Native) Parent Process: launchd [1] Responsible: com.test.xyz.EndpointSecurityExtension [2851] User ID: 0 Date/Time: 2021-09-01 11:50:57.698 +0530 OS Version: macOS 11.5.2 (20G95) Report Version: 12 Anonymous UUID: 0F843683-C812-EEE7-668E-2DCAADAE35B6 Sleep/Wake UUID: C67D7ECA-22E6-451F-8766-CB2DCA3FC287 Time Awake Since Boot: 42000 seconds Time Since Wake: 5500 seconds System Integrity Protection: disabled Crashed Thread: 1 Dispatch queue: BBReaderQueue Exception Type: EXC_BAD_INSTRUCTION (SIGILL) Exception Codes: 0x0000000000000001, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Signal: Illegal instruction: 4 Termination Reason: Namespace SIGNAL, Code 0x4 Terminating Process: exc handler [2851] Thread 0: 0 libsystem_kernel.dylib 0x00007fff20381b0a __sigsuspend_nocancel + 10 1 libdispatch.dylib 0x00007fff202184e1 _dispatch_sigsuspend + 36 2 libdispatch.dylib 0x00007fff202184bd _dispatch_sig_thread + 53 Thread 1 Crashed:: Dispatch queue: BBReaderQueue 0 com.test.xyz.EndpointSecurityExtension 0x00000001006b836e closure #1 in + 8270 1 com.test.xyz.EndpointSecurityExtension 0x00000001006b8627 thunk for @escaping @callee_guaranteed (@unowned OpaquePointer, @unowned UnsafePointer<es_message_t>) -> () + 23 2 libEndpointSecurity.dylib 0x00007fff2fe2f52b __es_new_client_with_config_block_invoke + 43 3 libEndpointSecurity.dylib 0x00007fff2fe2ff92 BBReader<ESMessageReaderConfig>::handleItems() + 130 4 libEndpointSecurity.dylib 0x00007fff2fe2fe41 BBReader<ESMessageReaderConfig>::woke(void*) + 17 5 libdispatch.dylib 0x00007fff20207806 _dispatch_client_callout + 8 6 libdispatch.dylib 0x00007fff2020a1b0 _dispatch_continuation_pop + 423 7 libdispatch.dylib 0x00007fff2021a564 _dispatch_source_invoke + 2061 8 libdispatch.dylib 0x00007fff2020d493 _dispatch_lane_serial_drain + 263 9 libdispatch.dylib 0x00007fff2020e0e0 _dispatch_lane_invoke + 417 10 libdispatch.dylib 0x00007fff2020f318 _dispatch_workloop_invoke + 1784 11 libdispatch.dylib 0x00007fff20217c0d _dispatch_workloop_worker_thread + 811 12 libsystem_pthread.dylib 0x00007fff203ae45d _pthread_wqthread + 314 13 libsystem_pthread.dylib 0x00007fff203ad42f start_wqthread + 15 Thread 1 crashed with X86 Thread State (64-bit): rax: 0x0000000100743108 rbx: 0x0000000100743028 rcx: 0x0000000000000000 rdx: 0x00007fc6c07091c0 rdi: 0x0000000000000000 rsi: 0x0000000100743370 rbp: 0x000070000cee8690 rsp: 0x000070000cee7ed0 r8: 0x0000000000000515 r9: 0x0000000000000519 r10: 0x00000000fe1fffff r11: 0x00007fc5bffc5e90 r12: 0x000000020236c1a1 r13: 0x00000000000001f6 r14: 0x00000000000041ed r15: 0x0000000000000026 rip: 0x00000001006b836e rfl: 0x0000000000010246 cr2: 0x0000000110b5492e Logical CPU: 0 Error Code: 0x00000000 Trap Number: 6 Thread 1 instruction stream: 8b 70 10 31 ff 31 d2 e8-d6 08 00 00 e9 45 fd ff .p.1.1.......E.. ff 4c 8d 2d ca 71 00 00-48 8b 05 c3 71 00 00 48 .L.-.q..H...q..H 8b 70 10 48 ff c6 31 ff-ba 01 00 00 00 e8 b0 08 .p.H..1......... 00 00 e9 af e7 ff ff 4c-8d 2d a4 71 00 00 bf 01 .......L.-.q.... 00 00 00 4c 89 fe ba 01-00 00 00 e8 92 08 00 00 ...L............ 48 8b 05 8b 71 00 00 e9-a9 e7 ff ff 0f 0b 0f 0b H...q........... [0f]0b 0f 0b 66 2e 0f 1f-84 00 00 00 00 00 0f 1f ....f........... <== 40 00 55 48 89 e5 41 57-41 56 41 55 41 54 53 48 @.UH..AWAVAUATSH 83 ec 28 49 bc 13 00 00-00 00 00 00 d0 48 89 7d ..(I.........H.} b0 48 89 75 b8 48 c7 45-c0 2f 25 40 00 48 b8 00 .H.u.H.E./%@.H.. 00 00 00 00 00 00 e3 48-89 45 c8 48 8d 3d 30 70 .......H.E.H.=0p 00 00 e8 1b db ff ff 49-89 c7 be 48 00 00 00 ba .......I...H.... Thread 1 last branch register state not available. It restarts again, sometimes it crashes again and sometimes it starts working normally. Any idea on where I might have made a mistake? Because when i usually get crash reports it has the line, the function name and the file(eg main.swift) where I had made a mistake, but this is a bit confusing. Thanks in advanced
3
0
873
Sep ’21
Upgrade of application creates a folder instead of app inside /Applications directory
Hi all, We are trying to upgrade our app to the next version. The problem we are facing is that instead of the new app replacing the old app in Applications directory, a folder of the same name is getting created and the app is placed inside that. So if my app name is xyz.app, we are seeing a folder xyz.localized inside the Applications folder and the new xyz.app placed inside it while the old one remains where it was. I am suspecting this is happening because we had the necessity to modify our bundleID and that is why it is not treating it to be the same app. Is there any way I could do this without uninstalling the app. This app is not published in app store. I even tried adding some code in preinstall script to uninstall the app and still I am seeing that the folder is getting created inside the Applications directory. Will adding some code to post install by moving the app from the xyz.localized directory to Applications directory help?
3
0
724
Sep ’21