User Profile

macOS Sonoma 14.4 Xcode 15.3 Hi, I'm experimenting with C++/Swift interop and am following the official documentation, especially the section "Using Swift APIs of Imported Framework Target". I'm able to call Swift code from C++ when both Swift and C++ source files belong to the same app bundle or framework target, by importing the -Swift.h header. However, I'm not able to import the Swift code from a framework using a different C++ target. This is my test project setup: testApp is my app bundle and subprocesses is my framework, containing the auto-generated and unchanged subprocesses.h and some example swift code with a single public function. The subprocesses framework is added as a dependency to testApp and the framework has the C++ interoperability enabled. But when I try to import the auto-generated -Swift.h in main.cpp, it doesn't show up. What do I need to do so that I can call Swift framework code in a different C++ target? I think I've done everything according to the documentation. Thanks! Addendum I've also experimented with Apple's Xcode example projects. The "Mixing Languages in an Xcode project" (Link) works as expected. I was able to add a command line app target, and when I add the Fibonacci framework as a dependency, I'm able to use #include <Fibonacci/Fibonacci-Swift.h> and access the Swift API. However, the second of Apple's examples, "Calling APIs Across Language Boundaries" (Link) fails to compile out of the box (No member named 'createForest' in 'ForestBuilder::MagicForest').

The dns_util API like dns_parse_packet is marked deprecated as of macOS 13.0. What is the successor? I'm specifically interested in parsing parsing DNS packets captured with libpcap. As an aside, I was surprised that I didn't get a deprecation warning. We still use Big Sur as deployment target (which seems to control the warning in this case), but of course, we support the newest versions. Is the API guaranteed to work on Sonoma even though it was deprecated with Ventura?

We noticed that sometimes exec messages delivered by Endpoint Security contain unexpected data since Ventura: When a script is executed by a shell, like zsh, the process data for the responsible and the target process are identical, including the pidversion - but only sporadically. At first, I thought that it might be the case that pidversions are not incremented when a process execs into the same image. But my tests showed that this is not the case, and the pidversion is incremented in any case. I also tried to trigger this behavior with a program basically recursively execs into itself, but that worked as expected. So far, I've only observed this behavior with shell scripts. Here is an example: (lldb) p *(msg->process) (es_process_t) $7 = { audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 12196, [6] = 100873, [7] = 29277) } ppid = 10691 original_ppid = 10691 group_id = 10691 session_id = 10691 codesigning_flags = 570493697 is_platform_binary = true is_es_client = false cdhash = "\U00000017\x8e$Y\xd0Z\x90\x8f\x92S\xc3s\xff<\x9c\xd6\xe2a\U00000011V" signing_id = (length = 13, data = "com.apple.zsh") team_id = (length = 0, data = 0x0000000000000000) executable = 0x00000001036bb1e8 tty = nullptr start_time = (tv_sec = 1669896286, tv_usec = 191693) responsible_audit_token = { val = ([0] = 501, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10682, [6] = 100349, [7] = 24944) } parent_audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10691, [6] = 100873, [7] = 24963) } } (lldb) p *(msg->event.exec.target) (es_process_t) $8 = { audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 12196, [6] = 100873, [7] = 29277) } ppid = 10691 original_ppid = 10691 group_id = 10691 session_id = 10691 codesigning_flags = 570493697 is_platform_binary = true is_es_client = false cdhash = "\U00000017\x8e$Y\xd0Z\x90\x8f\x92S\xc3s\xff<\x9c\xd6\xe2a\U00000011V" signing_id = (length = 13, data = "com.apple.zsh") team_id = (length = 0, data = 0x0000000000000000) executable = 0x00000001036bba00 tty = nullptr start_time = (tv_sec = 1669896286, tv_usec = 191693) responsible_audit_token = { val = ([0] = 501, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10682, [6] = 100349, [7] = 24944) } parent_audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10691, [6] = 100873, [7] = 24963) } } Is this an error in Endpoint Security, or am I missing something here? Steps to reproduce execute a script repeatedly to trigger the behavior, e.g. for i in {1..200000}; do ./script1.sh > /dev/null; # sleep 1; still happens, but you have to wait longer done in another terminal you can use eslogger like this sudo eslogger exec | jq 'if .process.audit_token.pidversion == .event.exec.target.audit_token.pidversion then "\(input_line_number) pidversion did not change: \(.process.audit_token.pidversion == .event.exec.target.audit_token.pidversion) \(.process.executable.path) -> \(.event.exec.target.executable.path)" else empty end' which could output something like this: "3211638 pidversion did not change: true /bin/zsh -> /bin/zsh"

I want to compile curl in a such a way that it can access the macOS keychain for certificate lookup. I have added an internal company CA certificate to my system keychain and am trusting it. When I build curl as described in the curl docs (which I am apparently not allowed to link) with Secure Transport I am able to connect to a server with a certificate signed by our internal CA. However, this does not work as root. ./curl company.com # works sudo ./curl company.com # invalid certificate chain When I repeat the same tests with the curl version that ships with the os, it works in both cases. Same results with a small example program when I link against my build vs linking against Apple's curl. I've also tried to compile it with libressl (with and without Secure Transport) but then keychain access doesn't even work as normal user. Any idea what's going wrong? How does Apple compile curl so that it works as root?

Is it possible to tell whether a process has crashed with ES or to get a notification when a crash happens? I was looking at the stat field of es_event_exit_t in combination with the macros like WTERMSIG from wait (2), but that probably wouldn't be enough? A process could be terminated by a signal without a crash (e.g. by sending SIGSEGV via terminal). I ultimately want to analyze a crash report as soon as the crash report is available. Currently that's done by subscribing to ES_EVENT_TYPE_NOTIFY_CREATE but this approach comes with a few drawbacks.

I'm looking at the JSON of an .ips crash report on macOS 12.3. "uptime" : 21000, "procLaunch" : "2022-03-28 12:12:34.0643 +0200", "procRole" : "Unspecified", "version" : 2, "userID" : 0, "deployVersion" : 210, "modelCode" : "MacBookPro18,1", "procStartAbsTime" : 514306295821, "coalitionID" : 2566, "osVersion" : { "train" : "macOS 12.3", "build" : "21E230", "releaseType" : "User" }, "captureTime" : "2022-03-28 12:12:45.1086 +0200", "incident" : "3B40D69B-0019-46D7-AD93-B73D02A4B636", "bug_type" : "309", "pid" : 17162, "procExitAbsTime" : 514570783723, I was expecting the field procStartAbsTime and procExitAbsTime to be UNIX timestamps, but that would result in dates in 1986. What format are they and how can they be converted? Also I noticed that BigSur creates both the old .crash and the new .ips format crash reports, even for the exact same crash, not at the same time though. So one time it creates a .crash, the next time an .ips.

Hi, I've used Xcode's conversion tool to convert a chrome extension. However, the tool throws warnings for basically every key and permission in the manifest.json file. It does create an Xcode project though. I've validated the manifest.json against 3 different json standards and no issues were detected. I'm using the latest version of Monterey and Xcode. ╰─$ xcrun safari-web-extension-converter --objc --macos-only . objc[2832]: Class AMSupportURLConnectionDelegate is implemented in both /usr/lib/libamsupport.dylib (0x21686f130) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x108b4c2c8). One of the two will be used. Which one is undefined. objc[2832]: Class AMSupportURLSession is implemented in both /usr/lib/libamsupport.dylib (0x21686f180) and /Library/Apple/System/Library/PrivateFrameworks/MobileDevice.framework/Versions/A/MobileDevice (0x108b4c318). One of the two will be used. Which one is undefined. Xcode Project Location: [...]/Browser Extensions/Chrome extension/DistPublic App Name: [...] App Bundle Identifier: com.yourCompany.[...] Platform: macOS Language: Objective-C Warning: The following keys in your manifest.json are not supported by your current version of Safari. If these are critical to your extension, you should review your code to see if you need to make changes to support Safari: description webRequestBlocking persistent version nativeMessaging <all_urls> tabs scripts storage alarms manifest_version webRequest name icons The only permission that I found is really not supported is webRequestBlocking. But even if I remove it, the tool still complains about the rest. Any idea what is causing this behavior?

Hi, I have a macOS app bundle with multiple binaries. I can create an archive, notarize it and export the app bundle all within Xcode. But when I try to export the archive from the command line I get an error message: ╰─$ xcodebuild -exportArchive -archivePath myarchive.xcarchive -exportOptionsPlist myarchiveExportOptions.plist -exportPath ~/Desktop -verbose 2021-12-06 09:03:39.241 xcodebuild[15117:509468] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/qj/55jnf34d0dz7nrjmw9kkvj6c0000gn/T/....xcdistributionlogs". error: exportArchive: helperBinary does not support provisioning profiles. Error Domain=IDEProvisioningErrorDomain Code=10 "helperBinary does not support provisioning profiles." UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=helperBinary does not support provisioning profiles., NSLocalizedRecoverySuggestion=helperBinary does not support provisioning profiles, but provisioning profile someName distribution has been manually specified. Remove this item from the "provisioningProfiles" dictionary in your Export Options property list.} ** EXPORT FAILED ** This is the export options plist I use (that's the one Xcode has exported): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>destination</key> <string>export</string> <key>method</key> <string>developer-id</string> <key>provisioningProfiles</key> <dict> <key>...</key> <string>someName distribution</string> </dict> <key>signingCertificate</key> <string>Developer ID Application</string> <key>signingStyle</key> <string>manual</string> <key>teamID</key> <string>...</string> </dict> </plist> How can I exclude the helper binary for the provisioning profile during the export of the archive? The main executable uses endpoint security.

I'm working on an enterprise product and we need to be able to provide a meaningful mapping between processes and the session context they're running in. I know that we can get the asid of a process based on an exec event subscription via ES, but the asid is too detailed. Ultimately we want to be able to say process A is running in the system/console of user {a,b,c}/ssh session. One problem is that for what we would consider a system session (non interactive) there exist multiple asids. So we need to group all non user sessions a be able to distinguish them from user gui/ssh sessions. Is there a way to get more information about a process' session, maybe but querying its asid? Maybe based on bsm and the audit token? I was thinking along the lines of what launchctl procinfo provides under the section audit flags. There are flags like has_console_access,has_authenticated. But I haven't been able to find out where this information is coming from. There are related flags in the Security framework (SessionAttributeBits) but especially the two I mentioned are missing.

When I want to add libcurl as a dependency I add libcurl.4.tbd under Link Binary with Libraries and it works. As I understand it these tbd files are stub libraries to enable the linking process for dynamic libraries while keeping the Xcode SDK download small (by replacing the actual dylib with a kind of placeholder). When I open the libcurl.4.tbd in Xcode, it lists under install-name /usr/lib/libcurl.4.dylib and I expected to find this file. But I can't find the actual libcurl.4.dylib at this dir nor anywhere else on my system. otool -L gives me same filepath. How is the linking handled in this case and where is the actual dylib located? I've learned that libcurl.4.dylib actually resides within a shared cache file unter /System/Library/dyld. I'm running macOS 11.1 What's the benefit instead of just placing the dylib under the specified path like /usr/lib/?