Installing SystemExtensions

Hi, I tried to install a simple "Hello, world" SystemExtension I created, however I get the following error:

Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements}

When I search this code in the SystemExtensions documentation, code 8 specifically means an there was an invalid code signature. I have signed both the extension and the parent application with a free Apple Developer account identity (with Xcode set to manage signing identities automatically). However, due to the lack of documentation on SystemExtensions, I'm clueless as to what's required for a SystemExtension. I've also tried signing them with local-machine-only identities (i.e. only valid for my system), but this doesn't let them load either. What am I missing here?

Replies

Hi Ondra k,


I tried this sample code in beta 9(SIP disabled)

When I run it with normal user, I can run it but get the ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED error.

When I run it with root user, the demo is crashed with Illegal instruction: 4


Application Specific Information:

dyld: launch, running initializers

/usr/lib/libSystem.B.dylib

Incoming message euid:0 does not match secinitd uid:501.


Is there any idea?

Incoming message euid:0 does not match secinitd uid:501.

This indicates a mismatch between your EUID and the UID expected by the security subsystem. It’s common when you partially switch your execution context, that is, you’ve switched the traditional BSD UIDs to root but are still running in a user security context. See the Execution Contexts section of Technote 2083 Daemons and Agents for more about this.

You have a couple of options here:

  • You can use a system extension, which is the standard way of deploying an EndpointSecurity product.

  • You can use the EndpointSecurity API from a launchd daemon. The system runs this as root and in the global security context, and thus you won’t encounter this mismatch.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Sorry, it is my fault, I get the wrong entitlements.When I set the right entitlements, it can work!

Would you mind how you built the example from Omar. I'm getting the exact error you had, then you figured out.


Q1) Did you build this as an MacOS App ( basically with GUI ) etc ? Or did you build as a command line app from default template ?


Q2) It seems like I need to build as a command line App then I don't know how to use to be able to get the *.entitlement file with correct Keys ( in the form of plist entries). I can create a file manually and insert those entries given in the GitHub created by Omar.


Please help me -- How you build the code ? The steps. Or if you could put the workspace in GitHub somewhere !!!


Thanks,

P

Now that I got the commandline Endpoint Security working, and know that we will have to have a launchd based daemon with right entitlements or some kind of System Extension ( not sure how to build this way, since no template as of yet )...


It looks like on the AUTH time file creation event is missing. There is no enum entry for it... How do we capture this ???


Thanks,

Prokash

Now that I got the commandline Endpoint Security working

I’m glad to hear that.

It looks like on the AUTH time file creation event is missing.

I think you should start a new thread for this question.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Hi,


I am also having issue with AUTH_OPEN , can you please guide how to use "es_respond_flags_result" ?


Thanks

Sorry for the delayed response...


I will, thanks eskimo

BTW,


Would you please tell me how to create a system extension and attach to an App (cocoa). I did put forum messages for this, and really hate to piggy back on some other discussion :-(.


Once I try to add a target, there is no option for a system extension ( only network extension).

Basically, ...


1st choice). Add some entitlements to make Firewall network extension be also a EP security extension ( to spare the communication between two separate extensions.


2nd choice ). Create a security extension as well. Have both extension gets loaded a runtime of the App that is embedding them.


Thanks

prokash

I responded on your other thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"
Now the latest version is big sur (11.2), still need to disable sip?