Code Block | When testing our Endpoint Security product on Big Sur beta 8 or 9, we found that if SIP is enabled our EndpointSecurity system extension hangs and is then killed by the kernel when another process runs "vmmap -w <PID of extension>". This happens when either ES_EVENT_TYPE_AUTH_OPEN or ES_EVENT_TYPE_AUTH_MMAP are submitted as events to subscribe to. No other events that we use cause this issue. If SIP is disabled, this does not occur. |
|
| To make sure that it wasn't our code not returning quick enough, I tested with just AUTH_OPEN and have the client callback just return "es_respond_flags_result(client, msg, 0xffffffff, true);". I also disable pretty much every thing else that our extension does, like create an XPC listener for messages from our service, no other notify or auth subscriptions, just AUTH_OPEN and returning a flags result. |
|
| This feels very much like my other ticket, FB7526331. We were given a work-around of subscribing to the AUTH_GET_TASK event and deny it if we were the target. I hope that there is something like that for this issue. |
|
| Sorry about the weird formatting, not doing code messes up all the underscores. |
|
| Quinn, before you ask, this is FB8783607 |
