Installing SystemExtensions

Hi, I tried to install a simple "Hello, world" SystemExtension I created, however I get the following error:

Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements}

When I search this code in the SystemExtensions documentation, code 8 specifically means an there was an invalid code signature. I have signed both the extension and the parent application with a free Apple Developer account identity (with Xcode set to manage signing identities automatically). However, due to the lack of documentation on SystemExtensions, I'm clueless as to what's required for a SystemExtension. I've also tried signing them with local-machine-only identities (i.e. only valid for my system), but this doesn't let them load either. What am I missing here?

Replies

What type of extension are you creating? All types: DriverKit, Endpoint Security, Network Extensions require the correct entitlements set. Additionally if you want to test them out you should disable SIP.

Could you please point me to some documents or sample projects about creating those extensions you mentioned here ?


I've Xcode 11.2 (beta), and I see two more templates at the end: DriverKit, and DriverKit framework. That's about it.


I need to find out how to create the flavors you mentioned...


Only thing is - I can create a template and thats about it.


Thanks,

prokash

The one official sample project from Apple that I've been able to find has been a Network Extension one. You can find it here


https://developer.apple.com/documentation/networkextension/filtering_network_traffic


So far I haven't seen a finished Endpoint Security example or full Driver Kit one.

Thanks much scknight !

Hello, let me squash in to raise a question here 🙂. I'va a xcode 11.0 beta 2(11M337n) installed, but when I try to create a new project or insert a new target to an existing project, I can't find the 'Endpoint Security' template in the wizard, either I can't find the document to detail the Endpoint Security APIs. Does anybody can give some clues here?

For EndpointSecurity create a command line tool, turn off SIP, add com.apple.developer.endpoint-security.client to entitlement, add dependency on EndpointSecurity.framework and run it as a root. I have managed to run code based on this example code:

https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba


Please note that intercepting AUTH_OPEN event makes the whole GUI irresponsible after I switch from console to Xcode even if I always allow; it seems there are still some bugs? Anyone has similar experience?

Hi,

Yes there is no template for any SystemExtension but Network Extensions.

I didn't manage to get any custom SystemExtension to be loaded. I'll always get the following error:


"Extension not found in App bundle" UserInfo={NSLocalizedDescription=Extension not found in App bundle}


How ever you can use the Endpoint Security API directly in a daemon, you just need to run it as root. (And disable SIP)


There is some 'documentation' within the header files of the EndpointSecurity Framework.

You can find the headers here:

/Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/

Yes, when I use AUTH_OPEN I have similar issues. To me it looks like the allow is not processed properly. Maybe you need to use es_respond_flags_result to respond to an AUTH_OPEN instead of es_respond_auth_result.

Thanks a lot for the observation; I have completely missed this function as I have somehow connected it with es_action_type_t in my head. It looks that this is the solution!


As a note, in XCode Beta 3 the api has changed quite significantly, and as such upgrading to 10.15 beta3 requires Xcode beta 3 and rebuild with code fixes!

Did you know how to interpret the flags?


All I found out is that the LSB is set when a file is opened for reading and the second least bit is set when the file is opened for writing.
I didn't find any flags within the headers.

it seems these are flags from open(); BTW the es_respond_auth_result solution did not work, there is already a top level post about OPEN hanging the system, AFAIK that is still true as of beta4

Looks like it is due to mismatct between extension filename and the bundle ID of the extension. correct that and you may be able to activate it.

I figured this out early on. It can find the extension it will always fail verification with:


System extension request failed: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 9.)


Unlike network extensions on iOS, the macOS Network Extension System Extension will create a NEMachServiceName and the Network Extension validation makes it "mandatory" that a matching App Group must be defined for the Mach service or it will fail validation.


Solution: Create a matching App Group (if you deleted it like I did) or... delete App Group and NEMachServiceName (didn't try the latter)

  • I was facing the same error with "activation request failed, error: OSSystemExtensionErrorDomain / 9", and your input to correct 'NEMachServiceName' resolved my issue. Thanks

Add a Comment

Has anybody gotten an application with the system extension install entitlement to work on 10.14 and below? We have to support 10.14 obviously, but if we include the system extension install entitlement (com.apple.developer.system-extension.install) in our application's Info.plist (the applicatoin that contains the system extension) it immediately crashes with a bad code signature on 10.14 and below. The application works (and system extension installs) on 10.15.


If the entitlement isn't necessary, how do we get the extension to install on 10.15? We haven't gotten the extension to install correctly with SIP enabled without using this entitlement.

I just had a look into the headers that came with Beta 6 and Apple finally clearefied the flags.


/**
 * Note: The `fflag` field represents the mask as applied by the kernel, not as represented by typical
 * open(2) `oflag` values. When responding to `ES_EVENT_TYPE_AUTH_OPEN` events using
 * es_respond_flags_result(), ensure that the same FFLAG values are used (e.g. FREAD, FWRITE instead
 * of O_RDONLY, O_RDWR, etc...).
 *
 * @see fcntl.h
 */