How to trigger sysextd to show the approval button again in security pane?

Question

bjarnoldus OP

Created Jun ’20

Replies 4

Boosts 0

Views 1.6k

Participants 3

I'm porting our kext drivers to DriverKit. One of the big improvements is the easier debug roundtip.

I've downloaded the test application usbApp ( https://github.com/knightsc/USBApp), and changed the following issues:

- Manual sign the entitlements after build; see: https://forums.developer.apple.com/thread/131240

- Changed the transport.usb entitlements, see https://stackoverflow.com/questions/61634176/how-to-set-com-apple-developer-driverkit-transport-usb-entitlement

I can build and start usbApp, and when pressing 'Activate'. The dext will be loaded, and I'm able to consent the driver in the Security pane of settings. However, when I rebuild the driver, and decativate the old one, and activate the new one, the consent statement does not appear in Security pane, while the driver is waiting for it:

% systemextensionsctl list

1 extension(s)

--- com.apple.system_extension.driver_extension

enabled active teamID bundleID (version) name [state]

* XXXXXXX nl.example.MyUserUSBInterfaceDriver (2.0/2) nl.example.MyUserUSBInterfaceDriver [activated waiting for user]

The only option I have is to reboot the machine. Is there a way to trigger the consent from commandline?

Boost

Answer 1

sl149q OP

Jun ’20

If you have the System Preferences Security pane open, leave it (back < at top) and then back in (> at top). You should then see the allow dialog.
That said, it seems best to reboot.
I remove the application from /Applications, systemextensionsctl reset and reboot.
Even then occasionally it won't load correctly.
It helps if you have a separate development system and you can rsync the app into the test system for testing. Rebooting the test system is not as painful.

0

Answer 2

bjarnoldus OP

Jun ’20

That is really a pity, especially rebooting is very cumbersome. DriverKit has been advertised for the short development roundtriptime, but that is thus blocked by the gatekeeper. I hope someone knows a trick to trigger the appearance of this 'Enable' button again.
I will also try to find a trick :-) Thanks for your reply! I'll test it.

0

Answer 3

DTS Engineer OP

Apple

Jun ’20

Hello,

According to the documentation that describes 'deactivationRequestForExtension':

"A deactivation request may require a restart before deactivating the extension.
If the request succeeds but requires a restart to complete, the extension may
still appear operational until the next restart."

Please file a Feedback Assistant report if you find a reproducible case where deactivating a dext, rebooting, and then [re]activating the dext doesn't result in the ability to approve the dext in the Security & Privacy pane.

0

Answer 4

sl149q OP

Jun ’20

Possibly not quite best practice, but I use this script to remove the test app, cleanup the driver extension directory and reboot quickly. YMMV.

#!/bin/bash
set -x
rm -rf /Applications/USBApp.app

This appears to do the same as:

systemextensionsctl reset

echo 'ROOTPASSWDHERE' | sudo -S rm -rf /Library/DriverExtensions/* /Library/SystemExtensions/* /Library/SystemExtensions/.staging

echo 'ROOTPASSWDHERE' | sudo -S reboot

0