Post

Replies

Boosts

Views

Activity

Endpoint security: Process environment variable crash
I'm attempting to extract the environment variables from an es_event_exec_t using the provided es_exec_env() function, but when I attempt to do this for certain processes my security extension seems to crash: Code Type: ARM-64 (Native) Parent Process: launchd [1] User ID: 0 OS Version: macOS 13.1 (22C65) System Integrity Protection: disabled Crashed Thread: 0 Dispatch queue: BBReaderQueue Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Thread 0 Crashed:: Dispatch queue: BBReaderQueue 0 libsystem_kernel.dylib 0x1938961b0 __pthread_kill + 8 1 libsystem_pthread.dylib 0x1938cccec pthread_kill + 288 2 libsystem_c.dylib 0x1938062c8 abort + 180 3 libsystem_c.dylib 0x193805620 __assert_rtn + 272 4 libEndpointSecurity.dylib 0x1a5518078 es_exec_env.cold.1 + 44 5 libEndpointSecurity.dylib 0x1a5515bf4 es_exec_env + 48 6 ESFramework 0x1015b443c parseExecEnvVars(event:) + 3084 (ExecEvent.swift:172) Any ideas on what might be going wrong or where I might be able to start? I'm able to reproduce the problem by executing iTerm2.app which kicks off iTermServer-3.4.19 causing the crash. Here's the basic program flow: Receive incoming es_message_t and if it's an exec event Create a new struct to model the exec event: public struct ExecEvent: Identifiable, Codable, Hashable { public var id: UUID = UUID() public var process_path, env_variables: String? init(fromRawEvent rawEvent: UnsafePointer<es_message_t>) { es_retain_message(rawEvent) var execEvent: es_event_exec_t = rawEvent.pointee.event.exec self.process_path = String(cString: execEvent.target.pointee.executable.pointee.path.data) // MARK: Parse environment variables. Crashes for certain procs like `iTermServer-3.4.19`. self.env_variables = parseExecEnvVars(event: &execEvent) es_release_message(rawEvent) } } To grab the environment variables public func parseExecEnvVars(event: inout es_event_exec_t) -> String { let numberOfVars: Int = Int(es_exec_arg_count(&event)) let procPath: String = String(cString: event.target.pointee.executable.pointee.path.data) os_log("Path: \(procPath) --> has \(numberOfVars) env vars") var envVars: [String] = [] for index in 0..<numberOfVars { let envVarVar: String = String(cString: es_exec_env(&event, UInt32(index)).data) os_log("#\(index): \(envVarVar)") envVars.append(envVarVar) } return envVars.joined(separator: "\n") }
1
0
911
Jan ’23
Not receiving ES notification for inflated files
I would have thought ES would emit an es_event_create_t for files being created as a result of inflating an archive in the Downloads folder. A good test for this would be to: Download Visual Studio Code (or any zip archive) to ~/Downloads Run /usr/bin/eslogger create | grep "Visual Studio Code" and watch for file creation events you'll notice a bunch in /private/var/folders but none in ~/Downloads Expand the archive and notice there's no file creation events You can run sudo eslogger create | grep "/Downloads/Visual Studio Code.app" to see that there are no files being "created" in the Downloads folder by that name. I briefly went through the other "File Metadata Event Types" and did not seem to find one that fit the bill. Completely understand there could be another event that will collect behavior. My mute set is pretty standard and don't think there is an issue there. Any suggestions would be greatly appreciated!
2
0
700
Feb ’23
Enabling File Quarantine for apps
Is there any additional work that developers need to do to enable File Quarantine for their apps besides adding LSFileQuarantineEnabled to their Info.plist (and all the helpers)? All files made by the app's processes should be quarantined by macOS without any additional changes to the app by the developer correct? Thanks!
3
0
1.4k
Feb ’23