Explore the core architecture of the operating system, including the kernel, memory management, and process scheduling.

Post

Replies

Boosts

Views

Activity

NSXPCConnection setCodeSigningRequirement: in sandbox works only with Developer ID signing
Hello, I use setCodeSigningRequirement: in sandboxed XPCService and it seems that no matter what I always get errSecCSNoSuchCode[1] when the app is signed with development certificate. The same application signed with DeveloperID is fine. I use following CSR for development signed builds. identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.1] exists and certificate leaf[field.1.2.840.113635.100.6.1.12] exists But also tried to simplify to identifier com.example.app or just true. If I validated the CSR with codesign -R I get "explicit requirement satisfied". I spotted this log line: Sandbox: com.example.app(67058) deny(1) file-read-data /Users/(...)/example-app/build/arm64-mac/src/mac/app/Debug/Example App.app/Contents/MacOS/ExampleApp So I disabled the sandbox for XPCService and now everything works. But then why the DeveloperID signed build works with XPCService sandboxed? ...or does it really? :) Just for completeness the CSR which I use in production build are: identifier com.example.app and anchor apple generic and certificate 1[field.1.2.840.113635.100.6.2.6] exists and certificate leaf[field.1.2.840.113635.100.6.1.13] exists and certificate leaf[subject.OU] = EXAMPLE
3
0
41
2h
Including a prefpane in App bundle?
Somewhere in the back of my head, I seem to remember that we can include prefPanes in our app store distributed apps these days (much like we can now include driverkit extensions). I can't for the life of me find this in the documentation again though. Can we do this? Or do I need to copy it from my app bundle to ~/Library/PreferencePanes? Thanks!
3
0
36
1d
When two memset struct with the same name will crash on ios18 beta1
1.The code structure is as follows: The main project imports an SDK. 2.The main project defines a struct A with a length of 1400 bytes, and the SDK also defines a struct A with a length of 1000 bytes. 3.The SDK does not expose the definition of struct A, but it is used in the implementation of the exposed API in the SDK. 4.In the usage process, the main project first calls the SDK's API, which uses struct A of SDK's and initializes it with memset. Then, in the main project, memset is used again to initialize the struct A declared in the main project. In the above scenario, it works fine on iOS versions lower than iOS18, but on iOS18 beat1, the app crashes randomly, and the crash scenarios are not fixed. We need to know whether iOS18 has made any improvements to the API for operating memory such as memset. Is memory management more stringent? Why do versions below iOS18 not cause problems? Thanks!
4
0
50
1d
Privileged daemon appears as unsigned in Login Items
Branching from a previous post titled "Privileged daemon using SMAppService in macOS Sequoia," I have a privileged daemon using SMAppSerice that works in Sonoma and Ventura. In the previous OS versions, privilege is applied in System Settings: Login Items, Allow in the Background. Under macOS sequoia, the daemon appears by its bundle id instead of the parent app, and underneath it reads "Item from unidentified developer" and does not run, even when enabled. I'm wondering if additional steps are needed in the new OS to sign privileged daemons properly?
3
0
52
1d
Can FSEvents include Snapshots of the Changed Files?
Hi folks! I'm David Barsky and I work on rust-analyzer, which is the IDE for the Rust programming language. For a while, we've had issues with VS Code not sending the correct changed files to the language server (such as changing commits or rebasing), so I started using rust-analyzer's native, off-by-default file watching functionality that binds to FSEvent via the notify library. This has helped a bunch, but I'm not sure how completely reliable it is. Before I consider changing the default file watching behavior for our (many!) users, I wanted to check: is it possible to combine "walk & watch" into a single, atomic operation? My goal is that upon getting a notification for a file change event, rust-analyzer can read the changed file and not worry about TOCTOU-esque conditions (rust-analyzer has a pretty robust incremental computation system, so we're able to invalidate changes pretty reliably). That being said, based off: this response from Quinn "The Eskimo!" about 8 years ago, and FSEventStreamCallback being a bit limited in the number of args, ...it seems like the answer appears to be "no". (I'm also familiar with Watchman, but it'd be great if the big pile of heuristics that Watchman uses were less necessary.)
1
0
75
2d
App Intent Cannot Insert SwiftData items
When using App Intents, I can edit already existing SwiftData items, but I cannot insert new ones. Below are the two app intents I've used, both function in their entirety other than the model context insertion at the end of the second one. struct LinkViewedIntent: AppIntent { static var title: LocalizedStringResource = "Mark Link Viewed" @Parameter(title: "Link") var link: LinkEntity? init(link: Link) { self.link = LinkEntity(link: link) } init() {} func perform() async throws -> some IntentResult & ProvidesDialog { let entities = try await LinkEntityQuery().suggestedEntities().filter({$0.viewed == false}) guard !entities.isEmpty else { return .result(dialog: "There are no unviewed links to mark.") } var enteredLink: LinkEntity if let link = link { enteredLink = link } else { enteredLink = try await $link.requestDisambiguation( among: LinkEntityQuery().suggestedEntities(), dialog: "Which link would you like to mark viewed?" ) } let context = ModelContext(ConfigureModelContainer()) let links = try? context.fetch(FetchDescriptor<Link>()) guard let link = links?.filter({ $0.id == enteredLink.id }).first else { return .result(dialog: "An Error Occured") } if link.viewed == true { return .result(dialog: "Link is already viewed") } link.viewed = true try context.save() return .result(dialog: "Okay, \(enteredLink.name ?? enteredLink.link) has been marked as viewed.") } static var parameterSummary: some ParameterSummary { Summary("Mark \(\.$link) as viewed.") } } struct SaveLinkIntent: AppIntent { static var title: LocalizedStringResource = "Save Link" @Parameter(title: "URL") var url: URL? func perform() async throws -> some IntentResult & ProvidesDialog { let modelContext = ModelContext(ConfigureModelContainer()) var fullurl: URL if let url = url { fullurl = url } else { fullurl = try await $url.requestValue() } print(fullurl.absoluteString) guard let link = await makeLink(address: fullurl.absoluteString) else { return .result(dialog: "") } modelContext.insert(link) return .result(dialog: "I've added \(link.metadata?.title ?? link.address) to Memento") } }
1
0
113
2d
macOS15 enable system extensions failed
We have developed a system extension based on the Endpoint Security framework, but after upgrading to macOS 15 beta, the system extension fails to enable in Login Items & Extensions. The specific prompt is shown in the image , and the system log indicates an XPC connection failure. When we use the command to check the extension status, it is [activated waiting for user]. We have tried some other products that use system extensions, and they are also unable to load the system extension.
1
0
63
2d
Spotlight / Finder Search / Finder Tags not working on virtual file system Monterey/Ventura
I'm writing a virtual file system as my educational project (generic kernel extension). Currently, mostly everything is implemented, however, I'm having trouble using Finder search and tags. The results simply don't show up - despite I am having vnop_... calls to those files. The extended attributes are supported. Inodes are stable. Mmap is implemented. Vnop_ioctl returns KERN_SUCCESS (but no implementation). An important moment: Previously, the search didn't work at all. Researching the web has shown me, that Spotlight indexation and Finder search are tightly glued. So basically I was trying to enable support for spotlight, thinking that would be the source of the problem. I was receiving "Unknown indexing state". All those tricks with mdutil, launchd, manual and reindexation either were doing nothing or returning error. The problem was resolved FOR SONOMA by making by VFS appear as local one (adding flags for MNT_LOLCAL and MNT_DOVOLFS). This has changed the state from Unknown indexing state for spotlight to Indexing is disabled. No need to turn it on for me - I am interested only in search and tags, not the spotlight itself. Basically, whether spotlight recognises my driver as no-error, the Finder works correctly, even with indexation disabled. Whether on Monterey*, or Ventura, I get the same problem. However, neither system logs nor my driver show any kinds of errors. The spotlight simply returns error. Reindexation attempt via Security&Privacy returns "Unknown error occured". The metadata for Ventura and Monterey read attempt (mdls) returns "Unable to locate file", however returns a huge list for Sonoma. *Monterey and Ventura never have .Spotlight-V100 folder. No disable indexing files or other spotlight restrictions are present. No user space solutions seem to help. The kext is unsigned and running in an environment with SIP disabled and Security Mode reduced to Permissive. Maybe there some abstract rules for what is required on VFS side to be recognised okay'ish by Spotlight ? Or maybe something specific right for my case ? Any pointers and/or assistance would be greatly appreciated.
3
0
84
3d
Maximum stack space
According https://developer.apple.com/library/archive/documentation/Cocoa/Conceptual/Multithreading/CreatingThreads/CreatingThreads.html maximum stack size is 512 KB for secondary threads, 8 MB for OS X main thread and 1 MB for iOS main thread. Can someone tell actual information about maximum stack size on different OS?
1
0
45
3d
dyld not load library with rpath if SIP disabled
I'm working on a macOS app. Due to security requirement, I add the following line in XCode other linker flags: -Wl,-sectcreate,__RESTRICT,__restrict,/dev/null But after testing, we found that app crashed at launch if system integrity protection disabled. Here is the report: System Integrity Protection: disabled Crashed Thread: 0 Exception Type: EXC_CRASH (SIGABRT) Exception Codes: 0x0000000000000000, 0x0000000000000000 Termination Reason: Namespace DYLD, Code 1 Library missing Library not loaded: @rpath/MyLib.framework/Versions/A/MyLib Referenced from: <845E83E4-9526-36F0-8A2D-ADD407697F4D> /Applications/MyApp/MyApp.app/Contents/MacOS/MyApp Reason: tried: '/System/Library/Frameworks/MyLib.framework/Versions/A/MyLib' (no such file, not in dyld cache), (security policy does not allow @ path expansion) (terminated at launch; ignore backtrace) Thread 0 Crashed: 0 dyld 0x185f3a55c __abort_with_payload + 8 1 dyld 0x185f46b10 abort_with_payload_wrapper_internal + 104 2 dyld 0x185f46b44 abort_with_payload + 16 3 dyld 0x185ecd584 dyld4::halt(char const*, dyld4::StructuredError const*) + 304 4 dyld 0x185eca254 dyld4::prepare(dyld4::APIs&, dyld3::MachOAnalyzer const*) + 3884 5 dyld 0x185ec8edc start + 1844 Looks like dyld can't load rpath if restrict segment exist & SIP disabled. Is there a way to fix it? The framework & dylib files needs to be in the bundle to avoid other app using them, so point to /usr/lib is not an option. Thanks.
1
0
96
3d
How to Install a Binary in SIP-Protected Locations in macOS without Recovery Mode
I'm looking for a solution to install a binary on a macOS system where System Integrity Protection (SIP) is enabled, and the target installation location is protected by SIP. I need to achieve this without booting into recovery mode to disable SIP. Is there any method to achieve this, such as by creating separate packages that can handle SIP-protected locations, developing or using installer applications capable of navigating SIP constraints, leveraging specific entitlements or permissions to facilitate the installation, or utilising Mobile Device Management (MDM) solutions for deployment? If anyone has experience or insights on any reliable ways to accomplish this, please share any detailed steps, tools, or best practices that could be useful.
3
0
112
5d
USB Device Support in Virtualization Framework in macOS Sequoia 15
I was looking through the different Core OS announcements from WWDC24 and stumbled upon documentation for USB Device support in the Virtualization Framework. However, I haven't found any mention about it or the virtualization framework from the event or otherwise. Are there any related release notes, examples or additional material besides the API documentation for the Beta OS?
1
0
86
6d
NO_CRASH_STACK error on launch
After our update for Xcode 15, we got a notable increase in crashes on our React Native apps on the app launch. The logs said it's a NO_CRASH_STACK (logs attached). And it's weirdly happening mostly on iOS 16 only (we're just assuming in this part) Notes that we are using Sentry for our crash reporter, but since this crash happened at the beginning, we believe the Sentry hasn't even finished initialized yet. So we don't get any data out of it. f73729d3325dbc472c6a7c5fe2e11f0671e14b63.crash 04bf10e9a11bdd5f47f462d0e22eeec2226413fc.crash 6cdc0334d1673c66a117572b314422c15673fbef.crash
3
0
115
6d
Issue with new Sonoma 14.5 update
What is the correct way to force new update when is not showing up in the Software Updates? Device current OS version is 14.4 and to be complient it is needed to be upgraded to 14.5 Device: MacBook Pro (16-inch, 2019) 8-Core Intel Core i9 After trying following command softwareupdate -l I am getting Software Update Tool Finding available software No new software available. After downloading the update from here: https://apps.apple.com/us/app/macos-sonoma/id6450717509 we are receiving 14.4 update Please advise what else can be done in this case. Thanks
1
0
85
6d