Post

Replies

Boosts

Views

Activity

XCTest to test EndpointSecurity error,ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED
I tried to use XCTest to test my own project that uses EndpointSecurity, but when I created the esClient I got an error:ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED, indicating that it was not root. This makes it impossible for me to do coverage tests for the ESClient application. Is there any way I can implement this ESClient test? If so, how should I use it? The project is a macOS program, if I use gcov, but I find I can't get coverage. Using __gcov_flush will indicate that there is no symbol #if !TARGET_IPHONE_SIMULATOR NSArray *paths = NSSearchPathForDirectoriesInDomains(NSDocumentDirectory, NSUserDomainMask, YES); NSString *documentsDirectory = [paths objectAtIndex:0]; setenv("GCOV_PREFIX", [documentsDirectory cStringUsingEncoding:NSUTF8StringEncoding], 1); setenv("GCOV_PREFIX_STRIP", "13", 1); #endif extern void __gcov_flush(void); __gcov_flush(); #endif
3
0
436
Sep ’24
Memory Overhead Issues with ESF Framework During High Volume of NOTIFY Events
I refer to Google's ESF project code to handle NOTIFY events, but after my notifyQueue is set to QOS_CLASS_BACKGROUND, the process memory gets larger when a lot of events occur. Is there any way to fix this without affecting performance The code is as follows: notifyQueue = dispatch_queue_create("notify",dispatch_queue_attr_make_with_qos_class(DISPATCH_QUEUE_CONCURRENT_WITH_AUTORELEASE_POOL,QOS_CLASS_BACKGROUND, 0)); if (msg->action_type == ES_ACTION_TYPE_NOTIFY) { es_message_t *copied_msg = [self copy_message:msg]; if (!copied_msg) { return; } dispatch_async(self->_notifyQueue, ^{ @autoreleasepool { [self handle:copied_msg]; [self free_message:copied_msg]; } }); }
4
0
866
Dec ’23
endpoint security app crash
I have implemented an app to monitor computer events according to ESF framework, but a crash will appear, and the crash content is Time Awake Since Boot: 800000 seconds Time Since Wake: 2594 seconds System Integrity Protection: enabled Crashed Thread: 0 Exception Type: EXC_CRASH (SIGKILL) Exception Codes: 0x0000000000000000, 0x0000000000000000 Exception Note: EXC_CORPSE_NOTIFY Termination Reason: Namespace ENDPOINTSECURITY, Code 2 I can't find it. Why is this happening. Can you tell me under what circumstances such a crash would occur.
2
0
660
Dec ’23
Two esf processes conflict
Here's the scenario: I have two processes on my computer, named A and B. Both processes are monitored by the ESF, and both processes monitor the same ESF events, such as ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTH_OPEN. If processes A and B run at the same time, will event conflict occur? In ESF event processing, is there any way to achieve full event listening and keep cpu usage low
1
0
698
Nov ’23
NSXPC
I have another NSXPC problem, and the problem goes like this NSXPC server implements an interface -(void) callbackWithInfo:(NSDictionary*)log reply:(void (^)(bool))action; The NSXPC client implements a method that will call the interface in a loop and perform a timeout operation. If the server returns to the interface and does not call the action after 1s, the client will perform subsequent operations. The callbackWithInfo interface is then called again, and the cycle continues. client code: The general structure is as follows while(true){ dispatch_semaphore_t semaphore = dispatch_semaphore_create(0); dispatch_async(dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_DEFAULT, 0), ^{ [serverProxy callbackWithInfo:InfoDic reply:^(bool action) { if(flag != NO){ flag = action; } }]; dispatch_semaphore_signal(semaphore); }); if(dispatch_semaphore_wait(semaphore, dispatch_time(DISPATCH_TIME_NOW, self.waitTime *NSEC_PER_MSEC)) != 0){ NSLog(@"flag: %d", flag); } sleep(0.1); } If the action callback is not invoked on the server, the number of FDS on the client increases. As a result, the process cannot open the file, or too much program context information is generated. As a result, the NSXPC interface fails to be invoked. Now I can not operate on the server side, how can the client side implement the code to ensure that the action will not be punished, and the fd will not increase.
2
0
688
Oct ’23
The NSXPC API passed NSDictionary data, and a crash occurred
I implemented an NSXPC for inter-process data transfer, and the data transferred is NSDictionary. However, a crash occurred during transmission. The corresponding crash logs are as follows Thread 16 Crashed:: Dispatch queue: xpc.test.queue 0 libobjc.A.dylib 0x1945a24d0 objc_retain + 16 1 Foundation 0x1956b7764 -[NSDictionary(NSDictionary) encodeWithCoder:] + 604 2 Foundation 0x195686d9c -[NSXPCEncoder _encodeObject:] + 520 3 Foundation 0x19568c154 _NSXPCSerializationAddInvocationWithOnlyObjectArgumentsArray + 120 4 Foundation 0x19568c000 -[NSXPCEncoder _encodeInvocationObjectArgumentsOnly:count:typeString:selector:isReply:into:] + 212 5 Foundation 0x195684f98 -[NSXPCConnection _sendInvocation:orArguments:count:methodSignature:selector:withProxy:] + 1448 6 Foundation 0x19568d584 -[NSXPCConnection _sendSelector:withProxy:arg1:] + 132 7 Foundation 0x19568d4a8 _NSXPCDistantObjectSimpleMessageSend1 + 68 8 TestDemo 0x1041e9308 0x104184000 + 414472 9 libdispatch.dylib 0x1945565f0 _dispatch_call_block_and_release + 32 10 libdispatch.dylib 0x1945581b4 _dispatch_client_callout + 20 11 libdispatch.dylib 0x19455f8a8 _dispatch_lane_serial_drain + 668 12 libdispatch.dylib 0x194560404 _dispatch_lane_invoke + 392 13 libdispatch.dylib 0x19456ac98 _dispatch_workloop_worker_thread + 648 14 libsystem_pthread.dylib 0x194718360 _pthread_wqthread + 288 15 libsystem_pthread.dylib 0x194717080 start_wqthread + 8 want to know if there is any way to check if NSDictionary data is transferable, NSDictionary data is generated dynamically, and the assignment method used is Info[@ "baseInfo"] = ***. Is this method necessary to determine whether *** is not nil?
1
0
650
Oct ’23
app crash at com.apple.root.default-qos Dispatch queue
I implemented a multithreaded app, but there was a thread-related crash in the app, I don't understand why this happened, the corresponding stack trace is as follows. Thread 15 Crashed:: Dispatch queue: com.apple.root.default-qos 0 libsystem_kernel.dylib 0x1a849ad98 __pthread_kill + 8 1 libsystem_pthread.dylib 0x1a84cfee0 pthread_kill + 288 2 libsystem_c.dylib 0x1a840a340 abort + 168 3 libc++abi.dylib 0x1a848ab08 abort_message + 132 4 libc++abi.dylib 0x1a847a950 demangling_terminate_handler() + 336 5 libobjc.A.dylib 0x1a8370320 _objc_terminate() + 144 6 libc++abi.dylib 0x1a8489ea4 std::__terminate(void (*)()) + 20 7 libc++abi.dylib 0x1a8489e40 std::terminate() + 64 8 libdispatch.dylib 0x1a830c1c8 _dispatch_client_callout + 40 9 libdispatch.dylib 0x1a831da04 _dispatch_root_queue_drain + 680 10 libdispatch.dylib 0x1a831e104 _dispatch_worker_thread2 + 164 11 libsystem_pthread.dylib 0x1a84cc324 _pthread_wqthread + 228 12 libsystem_pthread.dylib 0x1a84cb080 start_wqthread + 8
3
0
1.3k
Sep ’23
The nsxpc interface is not invoked
Hello, I encountered such a problem, the scenario is like this: I have a launchctl startup daemon called xpcserver.app, which uses NSXPC to start an xpc Server. There is a Client program that links to the nsxpc service of this xpcserver.app, and when I establish the connection, I call an interface implemented by xpcserver named setName:(nsstring*)name. I was sure that my xpcserver implemented the corresponding interface, but when the client called the interface to pass the value, it triggered the error "unrecognized selector sent to instance". When I restarted the client, the call to the interface successfully implemented the function. May I ask why? Using the NSXPC started service, hope to solve, thank you
3
0
725
Sep ’23
In macOS 10.15, double-click to start an app. ES_EVENT_TYPE_AUTH_EXEC event location where the app is located.
I encountered such a problem, when I am in macOS 10.15 this part, through monitoring ES_EVENT_TYPE_AUTH_EXEC ESF framework, if I double click on the start/Users/test/Downloads/test. The app, The path of test.app corresponding to message->event.exec.target-> Path. data in the ES_EVENT_TYPE_AUTH_EXEC event is under /private/var/folders. This prevents me from blocking the test.app startup in the /Users/test/Downloads/ directory through string matching.
1
0
839
Jun ’23
Block ES_EVENT_TYPE_AUTH_CLONE event response, but NSFileManager copyItemAtPath: can still copy new files
I implemented a method to monitor the testfile copy activity and reject it using ES_EVENT_TYPE_AUTH_CLONE. The copy code used is as follows: NSFileManager *fileManager = [NSFileManager defaultManager]; NSError *error = nil; NSString *sourcePath = self.CopyFilePath.stringValue; NSString *destinationPath = [sourcePath stringByAppendingFormat:@"(Code copy file)"]; BOOL success = [fileManager copyItemAtPath:sourcePath toPath:destinationPath error:&error]; if (success) { NSLog(@"File copy successful"); } else { NSLog(@"File copy failure:%@", error.localizedDescription); } This code fires the ES_EVENT_TYPE_AUTH_CLONE event, and I treat the auth event as ES_AUTH_RESULT_DENY, but still create a new file testfile(Code copy file) How to prevent through code [fileManager copyItemAtPath: sourcePath toPath: destinationPath error: & error]; Implementation of the file copy
7
0
2.3k
May ’23