es_new_client() failing with ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED

With SIP enabled, calling


es_new_client_result_t res = es_new_client(&g_client,(argc > 0) ? deferedHandler : serialHandler);


returns ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED.


I do have com.apple.developer.endpoint-security.client in my provising profile.


I see that provisinging profile is embedded in the installed application


/Applications/fox1.app/Contents/Library/SystemExtensions/com.netsqllc.fox1.foxextension.systemextension/Contents/embedded.provisionprofile


and looking at the contents of that file does show the endpoint-security-client inside


Entitlements

     com.apple.developer.endpoint-security.client
    

The extension does launch with euid and ruid of 0.


(Edit: Also, the System Preferences panel comes up, I unlock it, and click "Allow" to allow the application to start.)



Any ideas why I am gettin ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED?

Answered by obenshalom in 406742022

Hi,

You might need to approve Full Disk Access to your extension.


This is done in System Preferences -> Security & Privacy -> Privacy -> Full Disk Access


Maybe @eskimo can explain why it is required/not included as part of the entitlements.

Additional details (app name changed to "hen")


Entitlements for main app

$ codesign -d --entitlements :- hen.app
Executable=/Applications/hen.app/Contents/MacOS/hen
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.application-identifier</key>
  <string>MRNTF77FCR.com.netsqllc.hen</string>
  <key>com.apple.developer.system-extension.install</key>
  <true/>
  <key>com.apple.developer.team-identifier</key>
  <string>MRNTF77FCR</string>
  <key>com.apple.security.files.user-selected.read-only</key>
  <true/>
</dict>
</plist>


Entitlements for extension

codesign -d --entitlements :- hen.app/Contents/Library/SystemExtensions/com.netsqllc.hen.henextension.systemextension/
Executable=/Applications/hen.app/Contents/Library/SystemExtensions/com.netsqllc.hen.henextension.systemextension/Contents/MacOS/com.netsqllc.hen.henextension
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>com.apple.application-identifier</key>
  <string>MRNTF77FCR.com.netsqllc.hen.henextension</string>
  <key>com.apple.developer.endpoint-security.client</key>
  <true/>
  <key>com.apple.developer.team-identifier</key>
  <string>MRNTF77FCR</string>
</dict>
</plist>

And console log

allowing entitlement(s) for com.netsqllc.hen.henextension due to provisioning profile (isUPP: 1)
Failed to open service: -536870174
Sandbox: com.netsqllc.hen(9915) System Policy: deny(1) system-privilege 1016


The "Failed to open service" references /usr/lib/libEndpointSecurity.dylib


Any help would be appreciated.

Accepted Answer

Hi,

You might need to approve Full Disk Access to your extension.


This is done in System Preferences -> Security & Privacy -> Privacy -> Full Disk Access


Maybe @eskimo can explain why it is required/not included as part of the entitlements.

Holy cow, you were right!!


I re-installed the app via the same package installer, before launching the application this time I followed your instructions for granting the extension full disk access, then launched the .app application and started the extension, and success!


Thanks a million!

es_new_client() failing with ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED
 
 
Q