I'm attempting to extract the environment variables from an es_event_exec_t using the provided es_exec_env() function, but when I attempt to do this for certain processes my security extension seems to crash:
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
User ID: 0
OS Version: macOS 13.1 (22C65)
System Integrity Protection: disabled
Crashed Thread: 0 Dispatch queue: BBReaderQueue
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Thread 0 Crashed:: Dispatch queue: BBReaderQueue
0 libsystem_kernel.dylib 0x1938961b0 __pthread_kill + 8
1 libsystem_pthread.dylib 0x1938cccec pthread_kill + 288
2 libsystem_c.dylib 0x1938062c8 abort + 180
3 libsystem_c.dylib 0x193805620 __assert_rtn + 272
4 libEndpointSecurity.dylib 0x1a5518078 es_exec_env.cold.1 + 44
5 libEndpointSecurity.dylib 0x1a5515bf4 es_exec_env + 48
6 ESFramework 0x1015b443c parseExecEnvVars(event:) + 3084 (ExecEvent.swift:172)
Any ideas on what might be going wrong or where I might be able to start? I'm able to reproduce the problem by executing iTerm2.app which kicks off iTermServer-3.4.19 causing the crash.
Here's the basic program flow:
Receive incoming es_message_t and if it's an exec event
Create a new struct to model the exec event:
public struct ExecEvent: Identifiable, Codable, Hashable {
public var id: UUID = UUID()
public var process_path, env_variables: String?
init(fromRawEvent rawEvent: UnsafePointer<es_message_t>) {
es_retain_message(rawEvent)
var execEvent: es_event_exec_t = rawEvent.pointee.event.exec
self.process_path = String(cString: execEvent.target.pointee.executable.pointee.path.data)
// MARK: Parse environment variables. Crashes for certain procs like `iTermServer-3.4.19`.
self.env_variables = parseExecEnvVars(event: &execEvent)
es_release_message(rawEvent)
}
}
To grab the environment variables
public func parseExecEnvVars(event: inout es_event_exec_t) -> String {
let numberOfVars: Int = Int(es_exec_arg_count(&event))
let procPath: String = String(cString: event.target.pointee.executable.pointee.path.data)
os_log("Path: \(procPath) --> has \(numberOfVars) env vars")
var envVars: [String] = []
for index in 0..<numberOfVars {
let envVarVar: String = String(cString: es_exec_env(&event, UInt32(index)).data)
os_log("#\(index): \(envVarVar)")
envVars.append(envVarVar)
}
return envVars.joined(separator: "\n")
}
Post
Replies
Boosts
Views
Activity
I would have thought ES would emit an es_event_create_t for files being created as a result of inflating an archive in the Downloads folder.
A good test for this would be to:
Download Visual Studio Code (or any zip archive) to ~/Downloads
Run /usr/bin/eslogger create | grep "Visual Studio Code" and watch for file creation events you'll notice a bunch in /private/var/folders but none in ~/Downloads
Expand the archive and notice there's no file creation events
You can run sudo eslogger create | grep "/Downloads/Visual Studio Code.app" to see that there are no files being "created" in the Downloads folder by that name.
I briefly went through the other "File Metadata Event Types" and did not seem to find one that fit the bill. Completely understand there could be another event that will collect behavior. My mute set is pretty standard and don't think there is an issue there.
Any suggestions would be greatly appreciated!
Is there any additional work that developers need to do to enable File Quarantine for their apps besides adding LSFileQuarantineEnabled to their Info.plist (and all the helpers)?
All files made by the app's processes should be quarantined by macOS without any additional changes to the app by the developer correct?
Thanks!