NSEndpointSecurityEarlyBoot, When Does It Load Extensions

Question

mdolan OP

Created Feb ’20

Replies 3

Boosts 0

Views 1.7k

Participants 2

Hi,

I have the NSEndpointSecurityEarlyBoot flag set in plist for my ES extension. I see an entry in /Library/SystemExtensions/EndpointSecurity/.early_boot.plist that has a hash that corresponds to my extension in the /Library/SystemExtensions/db.plist file. According to the man page entry quoted below

NSEndpointSecurityEarlyBoot

Type: Boolean

If set to TRUE, the ES subsystem will hold up all third party

executions (anything that is not a platform binary) until all

early boot ES extensions make their first subscription.

my extension should load right after the Apple system extension, right? What I'm seeing is that it loads early, but other binaries are loaded before it, e.g., my launchd service code. The PID for the service code is 100 and the PID for the extension is 269 for the most recent test.

That doesn't feel right to me based on the information above. My question is, 1) Is there something else I need to do to load early or, 2) am I intrepreting this wrong, or 3) is this a bug I should report?

Thanks

Boost

Answer 1

mdolan OP

Feb ’20

After seeing it mentioned in another post, it reminded me that I have "systemextensionsctl developer on" set. Does this affect this in any way? I'm testing with my app in the /Applications folder, so do I need this anymore?

The reason I'm asking is that it didn't seem to, same loading sequence on or off.

0

Answer 2

brinda.bhuptani OP

Sep ’20

Hello,

I am facing same issue. Did you find any solution for this ?

0

Answer 3

mdolan OP

Sep ’20

It's the way that the process are launched that is confusing. Here is the explanation from Apple

PIDs are assigned at fork time, not exec time. When the ES kext knows there are early boot clients, it holds up the kernel thread performing the execve. So all binaries that would get exec'd (e.g. via Loginwindow, launchd loads, etc.), will all get a new pid - they just won't have code execute if they're non-platform binaries until the ES client connects and makes its first set of subscriptions (and, if they subscribed to AUTH EXEC, the client has the opportunity to DENY the exec from continuing). None of this has anything to do with lower numbered PIDs.

I did prove that this was the case by looking at log lines from my extension and my launchd process. The extension logged first, even though its PID was larger.

1