Post

Replies

Boosts

Views

Activity

Endpoint security daemon causing shutdown hang
I have an application that leverages endpoint security which runs a launchd service. It protects itself from user termination by intercepting signals addresses to the daemon and only allowing a whitelisted group of processes (including launchd) send signals. Launchd is set to keep the process alive. When I shut down the machine, I get a long hang similar to when an endpoint application is deadlocked on when processing an event who causes an auth event to be created for the target process. There is nothing interesting to speak of in the unified logs. I suspect I might be shutting down the endpoint framework in the wrong order or something when I intercept the signals delivered by the system shutdown. I have tried various combinations of allowing and denying the kill-my-daemon signal from launchd (I never do see the sigterm, but I do see the sigkill) with varying levels of pauses and hangs, but I only get a quick shutdown on a few occasions. I do mute notifications for my daemon so as to not deadlock myself. I’m thinking there is a better way to appproach this problem, but the method escapes me. How to best have my process protect itself from users terminating it while still having the os shut down quickly without getting locked waiting on notifications to expire for a killed process... I very much appreciate the community’s insights. These are some interesting problems caused by doing this work in user space!!!
6
0
1.5k
Feb ’20
Endpoint Security app launchable from launchd/xcode, not from command line
We have an application that has the endpoint security entitlement. We recently got access to sign with this permission, and are operating on a machine with SIP enabled for the first time. TCC has been granted for the application, and it can run from XCode/launchd without issue so long as the scheme is edited to run as root.Oddly, though whenver I try to run from a root shell, I get a failure of `ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED` on my call to `es_new_client`, and the following error is printed in the console:Sandbox: agentnm(2312) System Policy: deny(1) system-privilege 1016Any advise on why this might not be runnable from the command line, but is runnable from both the xcode launcher and launchd?
5
0
1.6k
Feb ’20