Endpoint Security & ES_EVENT_TYPE_AUTH_OPEN

App & System Services Drivers
Naoned OP
Created Feb ’20
Replies 6
Boosts 0
Views 1.8k
Participants 4

Hello,



I attempted to create a sample app using Endpoint Security. It's working ok for ES_EVENT_TYPE_NOTIFY_OPEN events. But as soon as I attempt to use ES_EVENT_TYPE_AUTH_OPEN, Endpoint Security is freezing the mac, and it either kill my process or the user session.



I've performed a sample code that is trusting processes for each notification during 30 sec, then enable blocking mode. And it fails.



Is it expected?


#import 
#import 
@import OSLog;


int main(int argc, const char * argv[]) {
  @autoreleasepool {
     // insert code here...
     es_client_t *client = NULL;
  es_new_client_result_t newClientResult =
  es_new_client(&client,
   ^(es_client_t * client, const es_message_t * message) {
  switch (message->event_type) {
  case ES_EVENT_TYPE_AUTH_OPEN:
  os_log( OS_LOG_DEFAULT , "EndpointSecurity : Allowing event from : %{public}s : Open %{public}s",message->process->executable->path.data, message->event.open.file->path.data);
  es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); // Immediately allow events
  break;
  case ES_EVENT_TYPE_NOTIFY_OPEN:
  os_log(OS_LOG_DEFAULT , "EndpointSecurity : trusting : %{public}s",message->process->executable->path.data);
  es_mute_process(client, &message->process->audit_token);
  break;
  default:
  os_log(OS_LOG_DEFAULT , "EndpointSecurity : unexpected event type : %i",message->event_type);
  es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true); // Immediately allow events
  break;
  }
  });


  // Handle any errors encountered while creating the client.
  switch (newClientResult) {
  case ES_NEW_CLIENT_RESULT_SUCCESS:
  // Client created successfully; continue.
  break;
  case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED:
  panic("Extension is missing entitlement.");
  break;
  case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED:
  panic ("Extension is not running as root.");
  break;
  case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED:
  // Prompt user to perform TCC approval.
  // This error is recoverable; the user can try again after
  // approving TCC.
  return 0;
  break;
  case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT:
  panic ("Invalid argument to es_new_client(); client or handler was null.");
  break;
  case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS:
  panic ("Exceeded maximum number of simultaneously-connected ES clients.");
  break;
  case ES_NEW_CLIENT_RESULT_ERR_INTERNAL:
  panic ("Failed to connect to the Endpoint Security subsystem.");
  break;
  }

  // Subscribe the client to the ES_EVENT_TYPE_NOTIFY_OPEN event.
  es_event_type_t eventTypes[] = { ES_EVENT_TYPE_NOTIFY_OPEN };
  es_return_t subscribeResult = es_subscribe(client, eventTypes, 1);
  if (subscribeResult != ES_RETURN_SUCCESS) {
  panic ("Client failed to subscribe to event.");
  }

  dispatch_after(dispatch_time(DISPATCH_TIME_NOW, (int64_t)(30 * NSEC_PER_SEC)), dispatch_get_main_queue(), ^{
  os_log(OS_LOG_DEFAULT , "EndpointSecurity : Started blocking mode");
  es_unsubscribe_all(client);
  // After 30 sec, replace ES_EVENT_TYPE_NOTIFY_OPEN by ES_EVENT_TYPE_AUTH_OPEN event.
  es_event_type_t eventTypes[] = { ES_EVENT_TYPE_AUTH_OPEN };
  es_return_t subscribeResult = es_subscribe(client, eventTypes, 1);
  if (subscribeResult != ES_RETURN_SUCCESS) {
  panic ("Client failed to subscribe to event.");
  }
  });

  NSRunLoop *runLoop = [NSRunLoop currentRunLoop];
        [runLoop run];
  }
  return 0;
}
Answered by aweqrwer in 406413022

Apparently, ES_EVENT_TYPE_AUTH_OPEN requires responding with es_respond_flags_result(4) instead of es_respond_auth_result(4) at line 16 in your code

Replies  6
Boosts  0
Views  1.8k
Participants  4
aweqrwer OP
Feb ’20
Accepted Answer

Apparently, ES_EVENT_TYPE_AUTH_OPEN requires responding with es_respond_flags_result(4) instead of es_respond_auth_result(4) at line 16 in your code

0
Naoned OP
Feb ’20

Thanks a lot! This is working.

0
blknit OP
May ’20

Can you tell me how you call es_respond_flags_result(4), I tryed with es_respond_flags_result(client, message, ES_AUTH_RESULT_ALLOW, true), es_respond_flags_result(client, message, 4, true), or es_respond_flags_result(client, message, 0x7FFFFFFF, true) but no luck it still freezing the mac, and kill my process or the user session.

0
DTS Engineer OP
Apple
May ’20

I’m not sure where this 

4
value is coming from, but the relevant flags here are 
FREAD
and 
FWRITE
(0x01 and 0x02, respectively).

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
blknit OP
May ’20

Hi eskimo thanks for your reply I tried with the following code with no luck. it still freezing the mac, and kill my process or the user session. Can you take a look when I remove the auth_open event type it can works as expect.

int SEListener::startListen()
{
  int res = 0;
  es_event_type_t events[] = { ES_EVENT_TYPE_AUTH_OPEN};
  if ((res = es_new_client(&m_esClient, ^(es_client_t * client, const es_message_t *message){
  static pid_t self_pid = getpid();
  switch (message->event_type) {
  case ES_EVENT_TYPE_AUTH_OPEN:
  {
  pid_t pid = audit_token_to_pid(message->process->audit_token);
  if(pid==self_pid)
  es_mute_process(client, &message->process->audit_token);
  es_respond_flags_result(client, message, FREAD | FWRITE, true);
  break;
  }
  case ES_EVENT_TYPE_NOTIFY_OPEN:
  break;
  default:
  break;
  }
  })) != ES_NEW_CLIENT_RESULT_SUCCESS)
  {
  printf("es_new_client error:%d\n",res);
  return res;
  }
  if ((res = es_clear_cache(m_esClient)) != ES_CLEAR_CACHE_RESULT_SUCCESS)
  {
  printf("es_clear_cache failed\n");
  return res;
  }

  if ((res = es_subscribe(m_esClient, events, (sizeof(events)/sizeof(events[0])))) != ES_RETURN_SUCCESS)
  {
  printf("es_subscribe failed\n");
  return res;
  }
  return res;
}
0
DTS Engineer OP
Apple
May ’20

I had a look at your code and I can’t spot any obvious problem. I do havhe some suggestions:

  • Check the results from 

    es_mute_process
    and 
    es_respond_flags_result
    . You can’t do much with these, so for the moment I’d just trap if you see a failure.

  • Also add a trap to the other cases in your switch statement. You should only be getting the 

    ES_EVENT_TYPE_AUTH_OPEN
    but, right now, if you were given another event, you’d never respond and the only way you’d notice that is when the system kills your client.

If those changes don’t reveal anything relevant my advice is that you open a DTS tech support incident so that I, or one of my colleagues, can investigate further.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
0
Endpoint Security & ES_EVENT_TYPE_AUTH_OPEN
First post date Last post date
 
 
Q