Installing SystemExtensions

What type of extension are you creating? All types: DriverKit, Endpoint Security, Network Extensions require the correct entitlements set. Additionally if you want to test them out you should disable SIP.

Could you please point me to some documents or sample projects about creating those extensions you mentioned here ?

I've Xcode 11.2 (beta), and I see two more templates at the end: DriverKit, and DriverKit framework. That's about it.

I need to find out how to create the flavors you mentioned...

Only thing is - I can create a template and thats about it.

Thanks,

prokash

The one official sample project from Apple that I've been able to find has been a Network Extension one. You can find it here

https://developer.apple.com/documentation/networkextension/filtering_network_traffic

So far I haven't seen a finished Endpoint Security example or full Driver Kit one.

Thanks much scknight !

Hello, let me squash in to raise a question here 🙂. I'va a xcode 11.0 beta 2(11M337n) installed, but when I try to create a new project or insert a new target to an existing project, I can't find the 'Endpoint Security' template in the wizard, either I can't find the document to detail the Endpoint Security APIs. Does anybody can give some clues here?

For EndpointSecurity create a command line tool, turn off SIP, add com.apple.developer.endpoint-security.client to entitlement, add dependency on EndpointSecurity.framework and run it as a root. I have managed to run code based on this example code:

https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba

Please note that intercepting AUTH_OPEN event makes the whole GUI irresponsible after I switch from console to Xcode even if I always allow; it seems there are still some bugs? Anyone has similar experience?

Hi,

Yes there is no template for any SystemExtension but Network Extensions.

I didn't manage to get any custom SystemExtension to be loaded. I'll always get the following error:

"Extension not found in App bundle" UserInfo={NSLocalizedDescription=Extension not found in App bundle}

How ever you can use the Endpoint Security API directly in a daemon, you just need to run it as root. (And disable SIP)

There is some 'documentation' within the header files of the EndpointSecurity Framework.

You can find the headers here:

/Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/

Yes, when I use AUTH_OPEN I have similar issues. To me it looks like the allow is not processed properly. Maybe you need to use es_respond_flags_result to respond to an AUTH_OPEN instead of es_respond_auth_result.

Thanks a lot for the observation; I have completely missed this function as I have somehow connected it with es_action_type_t in my head. It looks that this is the solution!

As a note, in XCode Beta 3 the api has changed quite significantly, and as such upgrading to 10.15 beta3 requires Xcode beta 3 and rebuild with code fixes!

Did you know how to interpret the flags?

All I found out is that the LSB is set when a file is opened for reading and the second least bit is set when the file is opened for writing.
I didn't find any flags within the headers.

it seems these are flags from open(); BTW the es_respond_auth_result solution did not work, there is already a top level post about OPEN hanging the system, AFAIK that is still true as of beta4

Looks like it is due to mismatct between extension filename and the bundle ID of the extension. correct that and you may be able to activate it.

I figured this out early on. It can find the extension it will always fail verification with:

System extension request failed: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 9.)

Unlike network extensions on iOS, the macOS Network Extension System Extension will create a NEMachServiceName and the Network Extension validation makes it "mandatory" that a matching App Group must be defined for the Mach service or it will fail validation.

Solution: Create a matching App Group (if you deleted it like I did) or... delete App Group and NEMachServiceName (didn't try the latter)

Has anybody gotten an application with the system extension install entitlement to work on 10.14 and below? We have to support 10.14 obviously, but if we include the system extension install entitlement (com.apple.developer.system-extension.install) in our application's Info.plist (the applicatoin that contains the system extension) it immediately crashes with a bad code signature on 10.14 and below. The application works (and system extension installs) on 10.15.

If the entitlement isn't necessary, how do we get the extension to install on 10.15? We haven't gotten the extension to install correctly with SIP enabled without using this entitlement.

I just had a look into the headers that came with Beta 6 and Apple finally clearefied the flags.

/**
 * Note: The `fflag` field represents the mask as applied by the kernel, not as represented by typical
 * open(2) `oflag` values. When responding to `ES_EVENT_TYPE_AUTH_OPEN` events using
 * es_respond_flags_result(), ensure that the same FFLAG values are used (e.g. FREAD, FWRITE instead
 * of O_RDONLY, O_RDWR, etc...).
 *
 * @see fcntl.h
 */

Hi Ondra k,

I tried this sample code in beta 9(SIP disabled)

When I run it with normal user, I can run it but get the ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED error.

When I run it with root user, the demo is crashed with Illegal instruction: 4

Application Specific Information:

dyld: launch, running initializers

/usr/lib/libSystem.B.dylib

Incoming message euid:0 does not match secinitd uid:501.

Is there any idea?

Incoming message euid:0 does not match secinitd uid:501.

This indicates a mismatch between your EUID and the UID expected by the security subsystem. It’s common when you partially switch your execution context, that is, you’ve switched the traditional BSD UIDs to root but are still running in a user security context. See the Execution Contexts section of Technote 2083 Daemons and Agents for more about this.

You have a couple of options here:

• You can use a system extension, which is the standard way of deploying an EndpointSecurity product.

• You can use the EndpointSecurity API from a launchd daemon. The system runs this as root and in the global security context, and thus you won’t encounter this mismatch.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Sorry, it is my fault, I get the wrong entitlements.When I set the right entitlements, it can work!

Would you mind how you built the example from Omar. I'm getting the exact error you had, then you figured out.

Q1) Did you build this as an MacOS App ( basically with GUI ) etc ? Or did you build as a command line app from default template ?

Q2) It seems like I need to build as a command line App then I don't know how to use to be able to get the *.entitlement file with correct Keys ( in the form of plist entries). I can create a file manually and insert those entries given in the GitHub created by Omar.

Please help me -- How you build the code ? The steps. Or if you could put the workspace in GitHub somewhere !!!

Thanks,

P

Now that I got the commandline Endpoint Security working, and know that we will have to have a launchd based daemon with right entitlements or some kind of System Extension ( not sure how to build this way, since no template as of yet )...

It looks like on the AUTH time file creation event is missing. There is no enum entry for it... How do we capture this ???

Thanks,

Prokash

Now that I got the commandline Endpoint Security working

I’m glad to hear that.

It looks like on the AUTH time file creation event is missing.

I think you should start a new thread for this question.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,

I am also having issue with AUTH_OPEN , can you please guide how to use "es_respond_flags_result" ?

Thanks

Sorry for the delayed response...

I will, thanks eskimo

BTW,

Would you please tell me how to create a system extension and attach to an App (cocoa). I did put forum messages for this, and really hate to piggy back on some other discussion :-(.

Once I try to add a target, there is no option for a system extension ( only network extension).

Basically, ...

1st choice). Add some entitlements to make Firewall network extension be also a EP security extension ( to spare the communication between two separate extensions.

2nd choice ). Create a security extension as well. Have both extension gets loaded a runtime of the App that is embedding them.

Thanks

prokash

I responded on your other thread.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"