Nevermind, returning the pointer created to the class from return statement was actually the problem!!!
Post
Replies
Boosts
Views
Activity
BY the way, I'm trying this using C API interface ( no Obj-C tho ).
We will have a launchctl based EP Security client, which we tested and seem to work fine ( note that we don not want any app related stuff, like canvas, delegates etc. ). At the start we will have a communication dylib that is going to field XPC based communication I mentioned here.
This is gong to be C and C++. XPC module could stay as C module.
Hope it does not create more problems !!
-P
Thanks much Eskimo, as usual...
Le'me go thru all what U stated, and ref:
Appreciate it much !
-P
Only relevant log is
application.com.apple.mail.1152921500311908095.1152921500311908100[69680]): Service exited with abnormal code: 1
Nevemind.... All working fine
Ideally I would be happy if I could get the DAEMON ( that I can install using launchctl ) working with SIP enabled.
After registering ( it become silent ). Hope this one is working for someone ( with SIP enabled )
Thanks much Eskimo !
I was able to compile using Xcode beta 3 and 4 of 12.0
I'm not sure if the App that embeds the extension should be in Application folder, if so is it /Applications ??
When I try to launch under Xcode, I'm able to see in the UI the launching is successful. BUT SEE signature problem. Not sure why though !. When I check the signature
psinha@Prokash.Sinha:~/GITS/MonitoringSystemEventsWithEndpointSecurity/Build/Products/Debug$ codesign -dvvvv com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/
Executable=/Users/psinha/GITS/MonitoringSystemEventsWithEndpointSecurity/Build/Products/Debug/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension
Identifier=com.example.apple-samplecode.SampleEndpointApp.Extension
Format=bundle with Mach-O thin (x86_64)
CodeDirectory v=20500 size=772 flags=0x10000(runtime) hashes=14+5 location=embedded
VersionPlatform=1
VersionMin=659200
VersionSDK=720896
Hash type=sha256 size=32
CandidateCDHash sha256=c093346dc496a58da0bc8f61450b972d8819ca6d
CandidateCDHashFull sha256=c093346dc496a58da0bc8f61450b972d8819ca6d29de431d3e6c4c9c1a52ca01
Hash choices=sha256
CMSDigest=c093346dc496a58da0bc8f61450b972d8819ca6d29de431d3e6c4c9c1a52ca01
CMSDigestType=2
Page size=4096
CDHash=c093346dc496a58da0bc8f61450b972d8819ca6d
Signature size=4739
Authority=Apple Development: Prokash Sinha (XQ47TT249Y)
Authority=Apple Worldwide Developer Relations Certification Authority
Authority=Apple Root CA
Signed Time=Aug 6, 2020 at 12:06:27 PM
Info.plist entries=22
TeamIdentifier=C489D5E8E8
Runtime Version=11.0.0
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=220
Neither the link to sample code ( mentioned in a reply) nor the X12.0 beta has the template for EP sec Api use.
Can someone confirm this ?
Thanks,
Prokash
if any one sees like the following messages on 11.M.N of Xcode --error: attach by name 'processname' failed -- Problems with launching via XPC. XPC error : Connection interruptedYou know that the process had a crash in your prior debug session.Until I reboot the machine, I can not re-attach to the same process -- what a bummer :-(
Well, Apple seems to have another push of binaries ( that includes Xcode 11 updates ). Intial beta that we all had did have some problems...At any rate, please make sure that there is no more updates, by clicking the preferences and Software Updates. After that, if there is any Xcode update, it should kick a Message Box to ask for updating additional tools !Once all of them are checked, make sure to reboot.Finally to debug ( if any of you made a CommandLine APP and copied the EP sec github code ( by Oakrum !) launch Xcode from command line ( kill any previous running instances of them ), then open the App workspace. Otherwise you use command line LLDB using root permission.So I'm able to debug thru, and it is working in the sense that if you don't set breakpoints in and around handler, you should be fine. The reason is that most any AUTH events seems to have deadline of ~ 0sec.What I still don't understand is even if you bring just FILE_OPEN AUTH event into your set of events to observe and handle, the systems hangs ( as if there are too many such events getting into the Queue ) or there are some problem in the implementation. I commented out any place where the new code is trying to sleep for sometime.Hope it helps!Prokash
Ah, still there are some subtle diffences that I don't understand...If I create a command line App from the EP sec example from Okram's github, I can debug thru xcode ( once I launched the xcode from root's command line). But it does not work ( i.e. superuser privilage fails ) when I try the same steps with the Firewall extension that has the same code embedded in it.-prokash
After following your link ---First things first, check that your bundle’s CFBundlePackageType property is SYSX. It’s easy to miss this, and it’ll give exactly the error you’re seeing.If that’s not it, the problem is most likely with your entitlements. Your extension really needs the com.apple.developer.endpoint-security.client entitlement. If you haven’t yet been granted it by Apple, you should disable SIP on your test Mac, which allows you use the entitlement even though you don’t have a provisioning profile to whitelist it.And modifying boot-args -nvram -p | grep boot-argsboot-args amfi_get_out_of_my_way=0x1I GET THE EP SECURITY running till to the check for root, then it exits since the code is that way... I can now run Xcode under root, and debug thru, while the network extension side is running... NO MORE repeated crashing at load time ( while the system tries to load the system extension repeatedly )...Thanks once 'gain.Prokash
Thanx a bunch, Eskimo !Really appreciate the help(s).Let me look at the link you provided (i.e. Ur explanation there ).Basically, I would be happy if I could get a System Extension that has both the network extension and EP sec capabilities. This will help us a lot in terms of migrating to no kext and kernel ctl socket based from the existing kext based design.-Prokash
BTW, Would you please tell me how to create a system extension and attach to an App (cocoa). I did put forum messages for this, and really hate to piggy back on some other discussion :-(.Once I try to add a target, there is no option for a system extension ( only network extension).Basically, ...1st choice). Add some entitlements to make Firewall network extension be also a EP security extension ( to spare the communication between two separate extensions.2nd choice ). Create a security extension as well. Have both extension gets loaded a runtime of the App that is embedding them.Thanks prokash
So basically I'm looking for a way to have a System Extension to be able to register as a client to EP security Infrastructure.When I take the security.client attribute ( i.e. key ), I can proceed but the registration fails with --ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLEDWhy am I thinking this way ?It will help us to have fairly simple migration path from our existing KAUTH based implementation. Which is to replace the kext with the system extension. Otherwise there would be major architectual change.Any advices, please ??May be due to security ( hardening ) reason(s), it does not allow to have that entitlement in a system extension, which I don't understand.If it is not going to be allowed, that is fine too. I just need to get some confirmation.Thanks,Prokash