If I allow ES_EVENT_TYPE_AUTH_* event to proceed, does it override default behavior?

Using the EndpointSecurity (ES) API, we can subscribe to ES_EVENT_TYPE_AUTH_* events, and in the ES handler, allow or deny them.

If I allow such an event in the ES handler, does this decision override the default handling of this event that would have otherwise denied this request? My guess is no, but want to confirm.

Examples:
  • Target app is runtime-hardened. Another app tries to get the task-port by doing task_for_pid() on the target app. This should result in ES_EVENT_TYPE_AUTH_GET_TASK event, event-handler allows it.

  • A file is readable only by root, and a non-root process attempts to read it. This should result in ES_EVENT_TYPE_AUTH_OPEN event sent to the ES handler. Handler allows this to proceed.

  • An executable is marked to be launched only by root (the file is owned by root, and the 'x' bit is set only for owner), and a non-root process attempts to launch it. This should result in ES_EVENT_TYPE_AUTH_EXEC event, event-handler allows it.

Answered by DTS Engineer in 624545022

If I allow such an event in the ES handler, does this decision override the default handling of this event that would have otherwise denied this request?

No. An ES client can only tighten security.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Accepted Answer

If I allow such an event in the ES handler, does this decision override the default handling of this event that would have otherwise denied this request?

No. An ES client can only tighten security.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
If I allow ES_EVENT_TYPE_AUTH_* event to proceed, does it override default behavior?
 
 
Q