Post

Replies

Boosts

Views

Activity

Memory leak when using OSLogStore in a loop
Hello, I am currently working on a project that involves periodically querying OSLog to forward system log entries to a backend. While the functionality generally operates as expected, I have encountered a memory leak in my application. Through testing, I have isolated the issue to the following simplified code example: #import <Foundation/Foundation.h> #import <OSLog/OSLog.h> int main(int argc, const char * argv[]) { @autoreleasepool { while(1) { NSError *error = nil; OSLogStore *logStore = [OSLogStore storeWithScope:OSLogStoreSystem error:&error]; if (!logStore) NSLog(@"Failed to create log store: %@", error); sleep(1); } } return 0; } When running this example, the application exhibits increasing memory usage, consuming an additional 100 to 200 KB per iteration, depending on whether the build is Debug or Release. Given that Automatic Reference Counting is enabled, I anticipated that the resources utilized by logStore would be automatically released at the end of each iteration. However, this does not appear to be the case. Am I using the API wrong? I would appreciate any insights or suggestions on how to resolve this issue. Thank you.
2
0
252
Nov ’24
How to grant command line tools full disk access
Hello all, I'm looking for clarification on the functionality of Full Disk Access (FDA) in macOS. To illustrate my case, consider the following simple example program: #include <stdio.h> #include <string.h> #include <errno.h> int main(void) { const char *filePath = "/Library/Preferences/com.apple.TimeMachine.plist"; // Try to open the file FILE *file = fopen(filePath, "r"); if (file == NULL) { // If there is an error opening the file, print the error and exit printf("Error opening file %s: %s\n", filePath, strerror(errno)); return 1; } fclose(file); // If we reached here, the file was successfully opened printf("File %s opened successfully\n", filePath); return 0; } When this program is built and executed in Terminal.app with Terminal having FDA, the file opens successfully. Conversely, when FDA is revoked from Terminal and granted to the program, an error occurs due to insufficient privileges. Interestingly, building and executing the program within Xcode, without Xcode having FDA, but granting FDA to the resulting binary (either debug or release), allows the file to open successfully. Which is what I would expect for the above case as well. Running the same binary (with FDA enabled), which runs successfully within Xcode, in Terminal yields an error message. So, I have the following questions based on these observations: Why does the program access the file successfully when run from within Xcode, despite Xcode lacking FDA? Why does the program fail to access the file when run from Terminal without FDA, even though the program itself has FDA? What is the precise relationship between a parent process and its child process concerning FDA? These tests were conducted on macOS 14.5 with Xcode 15.4. Thanks in advance!
6
0
886
Jun ’24
Endpoint Security: discerning successful from failed events
Hello, As I understand it, the ES framework provides notifications for specific event types. For my question, auth events do not matter, as I'm not interested in allowing/denying events, just reporting. Is there a way to retrieve the information if an event was successful/failed from an ES message? So far, I have found nothing in this regard in the documentation. For example, under certain circumstances, I get two notifications if I try to delete a file via the Finder, for which administrator privileges are required. The first is when the authorization dialog appears (this notification is for the failed unlink event), and the second is when I enter the correct credentials and the file is deleted. Example for reproduction: Open a terminal and create a file in "/etc" with the command "sudo touch test.txt". Run the command 'sudo eslogger unlink | grep -E "test.txt"' to start monitoring UNLINK events for files named "test.txt". Open the folder "/etc" in Finder. Select the file "test.txt", click on "File" in the menu, and hold the option key pressed. Then select "Delete Immediately...". In the appearing dialog, click on "Delete". Before entering the administrator password, and while the credentials dialog is still open, observe that eslogger already reports an UNLINK event for this file. It reports the user information: "ruid":501,"euid":501,"rgid":20,"auid":501,"egid":20. Enter the administrator password to confirm the deletion of the file. Observe that eslogger reports a second UNLINK event for this file. This time with the user information: "ruid":0,"euid":0,"rgid":0,"auid":501,"egid":0. So, is there a way to check the first event for failure? Otherwise, I would need to check manually if the file is still there after receiving the first notification, if I only want to report events that "really" happened (excluding attempts).
0
0
563
Jul ’23
Kernel header cs_blobs.h not found
To check the codesigning flags of a process after receiving an endpoint security event, the header cs_blobs.h is needed (see https://developer.apple.com/documentation/endpointsecurity/es_process_t/3334987-codesigning_flags). Unfortunately, the header is not found even if Kernel.framework is added to the target. Using a hack, however works. The way it is supposed to work, i.e. it should build but does not: Add Kernel.framework to the project. Use the directive "#include <kern/cs_blobs.h>“ The way it works, i.e. it builds and works although it should not: Do NOT Add Kernel.framework to the project. Use the directive "#include <Kernel/kern/cs_blobs.h>“ Does anyone have an idea as to why the hack works? P.S.: I created a feedback item for this issue (FB12016572).
4
1
852
Feb ’23
Receiving notifications for ES event ES_EVENT_TYPE_NOTIFY_UTIMES
Hi, in my program, i would like to receive notifications via endpoint security for the event type ES_EVENT_TYPE_NOTIFY_UTIMES when a file's access or modification time changes. I registered for this event (along with some others) but do not receive any notifications, but for all others, I do. So I tried to see if it works with eslogger. I ran "sudo eslogger utimes" and changed modification times of some text files via an editor, as well as touch (e.g. " touch -t 199212312158 test.txt"). But eslogger does not show any events happening, too, although the modification times are changed. Maybe I misunderstand the documentation. Under what circumstances do I receive a notification for this event type? Is the file type relevant or the path? Best regards Saša Ilić
6
0
1.1k
Jan ’23