Post not yet marked as solved
SimpleFirewall example has a project for the App associated System Extension.When launched the SimpleFirewall APP, then Start button the Extension get launched. But before that if I try to debug using process name, set a breakpoint using usual break point setting, it does not work, since debugger still wait for the process to be launched.How do you debug using debugger ?
Post not yet marked as solved
Folks,So far, I've been able to get the Firewall system extension including the Simple Firewall workspace (example ) running. It's from Apple.It's written in Swift ( 'am not fluent but trying to learn ). I've bridged code written in C, but really need to do active debugging. I saw there was passing mention that we should use os_log() and watch thru console. But that would not help me in this case. The reason being that we had a custom message passing code that used control socket in Kext. Moving forward we want this inside the System extension.As such, as a prelude to this, I plugged in a small server side written in Swift. And was able to connect and communicate from any socket client. This shows that we can have a server, and
Post not yet marked as solved
Hi,For Endpoint security extension, can we set the deadline field at the registration of handler... Don't think this is what we could do !Even if it is possible, we have to cast away the const es_message_t .I see on debugger, that the engine kills the client if we time out having a breakpoint, so looking for a way to increase deadline :-) under debug mode.Thanks,Prokash
Post not yet marked as solved
Folks,I have been looking for an xcode workspace that gives me form and structure about the 10.16 ( upcoming) OS's EndPoint Security Infra structure. Found some online code that tries to execute ( i.e. starting or loading the EndPoint Security framework - that I included in the work space like other framework.Now if I try to debug ( or run ), I get the message Starting EndPoint Security ... Then it fails. MY ASSUMPTION HERE IS THAT THERE IS A SYSTEM LEVEL SERVICE THAT WOULD BE LAUNCHED AS A PROCESS FOR SECURITY EXTENSION ( server ).It fails at the call to es_new_client(...)Since the doc says add an entry like the following in entitlement file --<key>com.apple.developer.endpoint-security.client</key> <true/>Adding it does not even load the program, crashed with Crashed Thread: 0Exception Type: EXC_CRASH (Code Signature Invalid). <----------------------------Exception Codes: 0x0000000000000000, 0x0000000000000000Exception Note: EXC_CORPSE_NOTIFYDOES IT REALLY MEAN THAT THE ID I AM USING TO SIGN AUTOMATICALLY DOES NOT HAVE THE PERMISSION ????KEY CHAIN SHOWS ALL ARE VALID ID.THANKS MUCH ProkashFYI ... not important !!!kernel messages:VM Regions Near 0 (cr2):--> __TEXT 0000000100000000-0000000100004000 [ 16K] r-x/r-x SM=COW Thread 0 Crashed:0 0x000000010000e000 _dyld_start + 0Thread 0 crashed with X86 Thread State (64-bit): rax: 0x0000000000000000 rbx: 0x0000000000000000 rcx: 0x0000000000000000 rdx: 0x0000000000000000 rdi: 0x0000000000000000 rsi: 0x0000000000000000 rbp: 0x0000000000000000 rsp: 0x00007ffeefbff6b0 r8: 0x0000000000000000 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000000 r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000000 r15: 0x0000000000000000 rip: 0x000000010000e000 rfl: 0x0000000000000200 cr2: 0x0000000000000000Logical CPU: 0Error Code: 0x00000000Trap Number: 0Binary Images: 0x100000000 - 0x100003ff7 + (0) <540848E4-D991-3FD4-92F9-0E59DCF11C72> 0x10000d000 - 0x10009b877 + (731.4) <C047D601-10E5-3D0A-BA98-87E22679F354>External Modification Summary: Calls made by other processes targeting this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by this process: task_for_pid: 0 thread_create: 0 thread_set_state: 0 Calls made by all processes on this machine: task_for_pid: 179896339 thread_create: 0 thread_set_state: 598VM Region Summary:ReadOnly portion of Libraries: Total=836K resident=0K(0%) swapped_out_or_unallocated=836K(100%)Writable regions: Total=8404K written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=8404K(100%)
Post not yet marked as solved
Folks,I had been asking questions for few things around this... Basically lot of new things for me ( App, System Extension, Cocoa, Swift and all other things related to Apple App related stuff ).Finally got the hang of it, and I was able to get the Firwall extension going with a separate thread for the TCP listner ---Now time to get the XPC going, which would be really low latency, and more secure Message IPC !!Thanks,PRokash
Post not yet marked as solved
I've been trying the SimpleFirewall extension for sometime...Once I get it to working, then I need to modify the System extension to something more.In the process, I see that sometime the systemextension in /Library/SystemExtension does not get refresh.WWDC 2019 doc on this says, if we erase the Firewall.app from /Applications folder, it does cleans up correctly. Even though there is no running extension for this package, it SAYS IT DID ERASE, THE FOLDER DOES NOT GET CLEANED.Sometime it cleans correctly so there are some time when sticky stuff still around ( reboot or complete shutdown restart does not help).Essentially very instable enviroment....We can do the sudo rm -rf --- But still it does not know how to bring the Extension to that folder and starts the Firewall app.... Spins...Thanks,Prokash
Post not yet marked as solved
Essentially the error for listener comes from ---nw_listener_socket_inbox_create_socket bind(3, <private>) tcp, local: ::.12345, indefinite, server failed [1: Operation not permitted]<<< trying to do local socket on 127.0.0.1 >>>main.swift or SimpleFirewall extensionlet queue = DispatchQueue.global(qos: .background)queue.async() { IPCmain()}func IPCmain() { os_log ("<<<<<<<<<<<<<<<<<<<<<< IPCmain starts"). << -- this shows up in console log viewer App Server.run() os_log ("<<<<<<<<<<<<<<<<<<<<<< IPCmain ends "). << -- this shows up in console log viewer App}When run the same Sever code in a stand-alone cmd line App, it worksIs there something obvious I'm missing ???Thanks,Prokash
Post not yet marked as solved
In the last post I mentioned that I was having trouble updating the SimpleFirewall example builds and run again. That was my lack of knowlege. The DriverKit and System Extension PDF has the steps to get this going...What is/are the best way to expose tcp socket level IPC ( unix socket ) between APP-ONE and APP-TWO. Only one APP has the system extension embedded in it ( just like the way SimpleFirewall project ).Since I have old style commandline daemon that needs to talk to SystemExension directly, I created a swift based tcp server side based on GCD dispatch mechanism. Console log seems like it is on listen mode. But any client outside this App Bundle can not connect to it. All local address. CONNECTION REFUSED is the message on the client side.How to go about this ???Thanks,Prokashhttps://developer.apple.com/documentation/bundleresources/entitlements/com_apple_security_application-group
Post not yet marked as solved
I've the SimpleFirewall Network extension from Apples' site. And I was able to get it to compile/configure and in working condition.I was trying to do some XPC MSG exchange so I had to kill the /Library/SystemExention/6789... / my extension as well as deleted the folder.Now with the same code ( original code of the extension ), I can not start the Firewall App anymore. There is no process running for the SystemExtension, and the /Library/SystemExtension folder is empty. ESSENTIALLY the start button does not start.Q: Is there a sane way to clean system extension ? How to debug the system extension using either Xcode or lldb command line ?Thanks,Prokash
Post not yet marked as solved
Folks,We have to have an interface from C to Swift ( C --> Swift ), since we are trying to use SystemExtensions ( replacing few Kexts ) for Catalina+.I can use some of the ideas ( including @Eskimo's ) to interface directly from C to invoke Swift routine, as long as the files are under same target.Since the daemon ( being sorta command line App with deamonization ) would be running as a separate process then any of the System Extension(s). We need some form of IPC. The XPC service generates obj-c code by default, modifying them to swift equivalent is difficult, since it can not find class/protocols in another swift file ( must need more hacks inside Xcode project linking etc - which I don't know much.So can someone help how to go about ---1) Direct invokation probably not going to work ( i,e, cross process )2) What IPC's can be used between C and Swift processes ?Thanks much!-Prokash
Post not yet marked as solved
All,I created a C/C++ Console App, and a skeletal NetworkExtension target.I found from internet that there are somways ( albiet undoc ) to invoke swift routines from C App, and it works.What I need ---a) Should be able to invoke a swift function from C, like before. But that function would be in the extension. It does not matter if the extension is in objective-C.When I defined the swit func in main.swift of NetworkExtension, I get a link error.... So how do EXPORT these to command line App?Is there a way to launch such system extension like App has embedding under Library section ? Or what do I need to do ?Thanks,Prokash
Post not yet marked as solved
Endpoint security has two above types of EVENT notifications. And it has the ALLOW/DENY options ?Is ALLOW/DENY option good for both classes of events?Seems like we can not choose ALLOW/DENY when it is a NOTIFY event !!Please confirm!Thanks,prokash
Post not yet marked as solved
Folks,There is an example object-C code in github that shows how to use simple EndPointSecuirty framework on 10.15 and hopefully later.I was trying get this example as a POC to see how much of those Kauth events we can get hold off and use Allow/Deny.I tried both as a command line and as a Cocoa App ( just a simple App ) where I can put the plist keys for entitlement.Unfortunately I am getting the same error on both trials --(lldb) po resES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED<info.plist><?xml version="1.0" encoding="UTF-8"?><!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN""http://www.apple.com/DTDs/PropertyList-1.0.dtd"><plist version="1.0"><dict> <key>CFBundleDevelopmentRegion</key> <string>$(DEVELOPMENT_LANGUAGE)</string> <key>CFBundleExecutable</key> <string>$(EXECUTABLE_NAME)</string> <key>CFBundleIconFile</key> <string></string> <key>CFBundleIdentifier</key> <string>$(PRODUCT_BUNDLE_IDENTIFIER)</string> <key>CFBundleInfoDictionaryVersion</key> <string>6.0</string> <key>CFBundleName</key> <string>$(PRODUCT_NAME)</string> <key>CFBundlePackageType</key> <string>$(PRODUCT_BUNDLE_PACKAGE_TYPE)</string> <key>CFBundleShortVersionString</key> <string>1.0</string> <key>CFBundleVersion</key> <string>1</string> <key>LSMinimumSystemVersion</key> <string>$(MACOSX_DEPLOYMENT_TARGET)</string> <key>NSHumanReadableCopyright</key> <string>Copyright © 2019 Prokash.Sinha. All rights reserved.</string> <key>NSMainStoryboardFile</key> <string>Main</string> <key>NSPrincipalClass</key> <string>NSApplication</string> <key>NSSupportsAutomaticTermination</key> <true/> <key>NSSupportsSuddenTermination</key> <true/> <key>com.apple.security.get-task-allow</key> <true/> <key>com.apple.developer.endpoint-security.client-allow</key> <true/></dict></plist>
Post not yet marked as solved
Sandbox: SimpleFirewall(3981) deny(1) mach-lookup A6Y6Q3496T.com.example.apple-samplecode.SimpleFirewall.SimpleFirewallExtensionAfter building the example from Apple.Laer the IPC between App and the System Extension fails.Any help ?Thanks,Prokash
Post not yet marked as solved
Looking for some documents about the new classes and interfaces for DriverKit ?Hope this covers Network extension, System Extensions etc.
prokash.