Hello,
in our system extension we monitor AUTH_OPEN events via the Endpoint Security client. The extension is correctly signed (with hardened runtime) and has full disk access enabled.
For each open event we try to obtain the extended attribute "com.apple.quarantine" using getxattr() and the path name provided in the open event.
The getxattr() call is always returning ENOATTR (93) even for files that have the "com.apple.quarantine" attribute set.
Does obtaining extended attributes not work from a system extension, do we need any special entitlements or is this just a bug?
Note: Big Sur 11.1 - this only shows with SIP enabled, with SIP disabled the attributes can be read correctly.
Frank
Sophos Inc.
in our system extension we monitor AUTH_OPEN events via the Endpoint Security client. The extension is correctly signed (with hardened runtime) and has full disk access enabled.
For each open event we try to obtain the extended attribute "com.apple.quarantine" using getxattr() and the path name provided in the open event.
The getxattr() call is always returning ENOATTR (93) even for files that have the "com.apple.quarantine" attribute set.
Does obtaining extended attributes not work from a system extension, do we need any special entitlements or is this just a bug?
Note: Big Sur 11.1 - this only shows with SIP enabled, with SIP disabled the attributes can be read correctly.
Frank
Sophos Inc.