I am developing an app that uses the Endpoint Security API.
I need to mute a few processes like: my own process, xcode, etc' ...
However, if the muted processes create child processes, I want these processes to be muted as well. The full process tree under muted processes should be muted.
How can that be done?
Cant see in docs and can't find an example.
If it can't be done, whats the closest thing to that I can implement.
Thanks!
Post
Replies
Boosts
Views
Activity
I have an app that uses Endpoint security.
I have 1 client that registered many AUTH and NOTIFY event types.
When I I recive an Endpoint Security message (event) and my handler is called. Which thread does it use?
If I have 1 client will it always just use the same 1 thread?
If not, can it ever happen that I register 1 client, and he will handle more then 1 event in the same time? regardless of the event type or any thing else
We have a huge project.
Until today we didn't use an .app but now we must in order to use Endpoint security and other stuff.
Until today our binary sat in /opt/XYZ/binary.bin
Now because of the .app, looks like it will have to be /opt/XYZ/Cool.app/Content/MacOs/binary.bin
This change really breaks our code and will cause a massive code change.
If I extract the binary from the app and place it in /opt/XYZ/binary.bin and run it, the process is killed.
Is there a way to extract it from the app and run it from /opt/XYZ ?
any tool, command, resource, etc' will be great.
Ventura 13.2.1 M1
Sonoma 14.2.1 M2
In my app I have a signal handler.
When testing it with null-dereference I see that in previous MacOs versions like Monterey 12.0 x86 the signal handler is called.
However, on my Silicon Ventura/Sonoma machines its not called.
Tried with SIP enabled and disabled
So I created a binary with code:
#include <iostream>
int main() {
int *ptr = nullptr;
std::cout << *ptr; // Dereference null pointer
return 0;
}
Compiled it with:
g++ null.cpp -o null.bin
And executed it with and without sudo.
The app indeed crashes because of the null dereference (and core dump is created when SIP disabled).
However, no signal is recived. I am able to prove it with DTrace .
DTrace script:
#pragma D option quiet
proc:::signal-send
{
@[execname, stringof(args[1]->pr_fname), args[2]] = count();
}
END
{
printf("%20s %20s %12s %s\n",
"SENDER", "RECIPIENT", "SIG", "COUNT");
printa("%20s %20s %12d %@d\n", @);
}
Here is the output. In the left terminal I executed the binary. In the right terminal the script output.
On top of DTrace I created and MacOS endpoint-security app and subscribed to ES_EVENT_TYPE_NOTIFY_SIGNAL. Same there, no signal.
Did anything change with signals on M1/M2 MacOS 13.0 ?