Endpoint Security deadline and sleeping

Question

Created Mar ’20

Replies 6

Boosts 0

Views 1.8k

Participants 4

When an Endpoint Security client gets an auth message, one of the fields in that message is the deadline, as described in the ESMessage.h file as so:

* @field deadline The Mach time before which an auth event must be responded to.
*        If a client fails to respond to auth events prior to the `deadline`, the client will be killed.

What happens if the client gets the message and either the machine is put to sleep or the VM is suspended until past the deadline time and the client can't repsond? Will the kernel still kill the client? Should it be smarter and understand sleeping / suspension?

I ask because I've seen many deaths upon waking my VM and seeing this dreaded message in the log.

"2020-03-10 10:50:08.284731-0700 0x430d Error 0x0 0 0 kernel: (EndpointSecurity) Client did not respond in appropriate amount of time (client pid: 773)"

Answered by DTS Engineer in 410061022

So, it's not a clock time, but a run time?

I’m going to point you to the

clock_gettime

man page, which explicitly documents the properties of

CLOCK_UPTIME_RAW

and its correlation to Mach absolute time.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’20

My experience is that Mach absolute time stops when the CPU sleeps.

ps Are you using a pre-release Xcode here. My copy of

<EndpointSecurity/ESMessage.h>

doesn’t have that comment.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

mdolan OP

Mar ’20

Hi Quinn,

Yes, Xcode 11.4 beta 3 (11N132i), running on 10.15.4 Beta (19E258a)

So, it's not a clock time, but a run time? I.e., it starts ticking on boot and pauses when it's asleep. I use the deadline and mach_time values to calculate a timeout value that I use to make sure we answer in time. Already had a timeout check, just updated it to use the MIN of this value (minus 1 second for a cushion) and our normal timeout value. But still occasionally see the above error message in the log after wakeup or resuming the VM after suspending it. Just made me wonder and post this question.

Thanks

0

Answer 3

DTS Engineer OP

Apple

Mar ’20

Accepted Answer

So, it's not a clock time, but a run time?

I’m going to point you to the

clock_gettime

man page, which explicitly documents the properties of

CLOCK_UPTIME_RAW

and its correlation to Mach absolute time.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 4

mdolan OP

Mar ’20

Thank you, Quinn.

0

Answer 5

itayb OP

Nov ’20

since iOS14, machabsolutetime()/CLOCKUPTIMERAW don't seem to stop while device is asleep. has anyone else seen this behavior? any other clock to read to get the intended behavior of a clock that stops while asleep?

0

Answer 6

idot123 OP

Nov ’20

Hi, @mdolan. So, what was the reason of the message? Because I also receive such messages after restoring from snapshots, and then Extension gets killed, every time by different processes - CVMCompiler, xpcproxy, mdworker_shared.

0