21 Replies
      Latest reply on Oct 17, 2019 2:36 AM by eskimo
      facekapw Level 1 Level 1 (0 points)

        Hi, I tried to install a simple "Hello, world" SystemExtension I created, however I get the following error:

        Error Domain=OSSystemExtensionErrorDomain Code=8 "Invalid code signature or missing entitlements" UserInfo={NSLocalizedDescription=Invalid code signature or missing entitlements}

        When I search this code in the SystemExtensions documentation, code 8 specifically means an there was an invalid code signature. I have signed both the extension and the parent application with a free Apple Developer account identity (with Xcode set to manage signing identities automatically). However, due to the lack of documentation on SystemExtensions, I'm clueless as to what's required for a SystemExtension. I've also tried signing them with local-machine-only identities (i.e. only valid for my system), but this doesn't let them load either. What am I missing here?

        • Re: Installing SystemExtensions
          scknight Level 1 Level 1 (10 points)

          What type of extension are you creating? All types: DriverKit, Endpoint Security, Network Extensions require the correct entitlements set. Additionally if you want to test them out you should disable SIP.

            • Re: Installing SystemExtensions
              prokash Level 1 Level 1 (0 points)

              Could you please point me to some documents or sample projects about creating those extensions you mentioned here ?

               

              I've Xcode 11.2 (beta), and I see two more templates at the end: DriverKit, and DriverKit framework. That's about it.

               

              I need to find out how to create the flavors you mentioned...

               

              Only thing is - I can create a template and thats about it.

               

              Thanks,

              prokash

              • Re: Installing SystemExtensions
                Dennis Chen Level 1 Level 1 (0 points)

                Hello, let me squash in to raise a question here . I'va a xcode 11.0 beta 2(11M337n) installed, but when I try to create a new project or insert a new target to an existing project, I can't find the 'Endpoint Security' template in the wizard, either I can't find the document to detail the Endpoint Security APIs. Does anybody can give some clues here?  

                  • Re: Installing SystemExtensions
                    ondra k Level 1 Level 1 (0 points)

                    For EndpointSecurity create a command line tool, turn off SIP, add com.apple.developer.endpoint-security.client to entitlement, add dependency on EndpointSecurity.framework and run it as a root. I have managed to run code based on this example code:

                    https://gist.github.com/Omar-Ikram/8e6721d8e83a3da69b31d4c2612a68ba

                     

                    Please note that intercepting AUTH_OPEN event makes the whole GUI irresponsible after I switch from console to Xcode even if I always allow; it seems there are still some bugs? Anyone has similar experience?

                      • Re: Installing SystemExtensions
                        BoBKelso Level 1 Level 1 (0 points)

                        Yes, when I use AUTH_OPEN I have similar issues. To me it looks like the allow is not processed properly. Maybe you need to use es_respond_flags_result to respond to an AUTH_OPEN instead of es_respond_auth_result.

                          • Re: Installing SystemExtensions
                            ondra k Level 1 Level 1 (0 points)

                            Thanks a lot for the observation; I have completely missed this function as I have somehow connected it with es_action_type_t in my head. It looks that this is the solution!

                             

                            As a note, in XCode Beta 3 the api has changed quite significantly, and as such upgrading to 10.15 beta3 requires Xcode beta 3 and rebuild with code fixes!

                              • Re: Installing SystemExtensions
                                BoBKelso Level 1 Level 1 (0 points)

                                Did you know how to interpret the flags?

                                 

                                All I found out is that the LSB is set when a file is opened for reading and the second least bit is set when the file is opened for writing.
                                I didn't find any flags within the headers.

                                  • Re: Installing SystemExtensions
                                    ondra k Level 1 Level 1 (0 points)

                                    it seems these are flags from open(); BTW the es_respond_auth_result solution did not work, there is already a top level post about OPEN hanging the system, AFAIK that is still true as of beta4

                                      • Re: Installing SystemExtensions
                                        BoBKelso Level 1 Level 1 (0 points)

                                        I just had a look into the headers that came with Beta 6 and Apple finally clearefied the flags.

                                         

                                        /**
                                         * Note: The `fflag` field represents the mask as applied by the kernel, not as represented by typical
                                         * open(2) `oflag` values. When responding to `ES_EVENT_TYPE_AUTH_OPEN` events using
                                         * es_respond_flags_result(), ensure that the same FFLAG values are used (e.g. FREAD, FWRITE instead
                                         * of O_RDONLY, O_RDWR, etc...).
                                         *
                                         * @see fcntl.h
                                         */
                                        
                                • Re: Installing SystemExtensions
                                  weichao119 Level 1 Level 1 (0 points)

                                  Hi Ondra k,

                                   

                                  I tried this sample code in beta 9(SIP disabled)

                                  When I run it with normal user, I can run it but get the ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED error.

                                  When I run it with root user, the demo is crashed with Illegal instruction: 4

                                   

                                  Application Specific Information:

                                  dyld: launch, running initializers

                                  /usr/lib/libSystem.B.dylib

                                  Incoming message euid:0 does not match secinitd uid:501.

                                   

                                  Is there any idea?

                                    • Re: Installing SystemExtensions
                                      eskimo Apple Staff Apple Staff (12,455 points)

                                      Incoming message euid:0 does not match secinitd uid:501.

                                      This indicates a mismatch between your EUID and the UID expected by the security subsystem.  It’s common when you partially switch your execution context, that is, you’ve switched the traditional BSD UIDs to root but are still running in a user security context.  See the Execution Contexts section of Technote 2083 Daemons and Agents for more about this.

                                      You have a couple of options here:

                                      • You can use a system extension, which is the standard way of deploying an EndpointSecurity product.

                                      • You can use the EndpointSecurity API from a launchd daemon.  The system runs this as root and in the global security context, and thus you won’t encounter this mismatch.

                                      Share and Enjoy

                                      Quinn “The Eskimo!”
                                      Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                      let myEmail = "eskimo" + "1" + "@apple.com"

                                      • Re: Installing SystemExtensions
                                        weichao119 Level 1 Level 1 (0 points)

                                        Sorry, it is my fault, I get the wrong entitlements.When I set the right entitlements, it can work!

                                          • Re: Installing SystemExtensions
                                            prokash Level 1 Level 1 (0 points)

                                            Would you mind how you built the example from Omar. I'm getting the exact error you had, then you figured out.

                                             

                                            Q1) Did you build this as an MacOS App ( basically with GUI ) etc ? Or did you build as a command line app from default template ?

                                             

                                            Q2) It seems like I need to build as a command line App then I don't know how to use to be able to get the *.entitlement file with correct Keys ( in the form of plist entries). I can create a file manually and insert those entries given in the GitHub created by Omar.

                                             

                                            Please help me -- How you build the code ? The steps. Or if you could put the workspace in GitHub somewhere !!!

                                             

                                            Thanks,

                                            P

                                              • Re: Installing SystemExtensions
                                                prokash Level 1 Level 1 (0 points)

                                                Now that I got the commandline Endpoint Security working, and know that we will have to have a launchd based daemon with right entitlements or some kind of System Extension ( not sure how to build this way, since no template as of yet )...

                                                 

                                                It looks like on the AUTH time file creation event is missing. There is no enum entry for it... How do we capture this ???

                                                 

                                                Thanks,

                                                Prokash

                                                  • Re: Installing SystemExtensions
                                                    eskimo Apple Staff Apple Staff (12,455 points)

                                                    Now that I got the commandline Endpoint Security working

                                                    I’m glad to hear that.

                                                    It looks like on the AUTH time file creation event is missing.

                                                    I think you should start a new thread for this question.

                                                    Share and Enjoy

                                                    Quinn “The Eskimo!”
                                                    Apple Developer Relations, Developer Technical Support, Core OS/Hardware
                                                    let myEmail = "eskimo" + "1" + "@apple.com"

                                          • Re: Installing SystemExtensions
                                            BoBKelso Level 1 Level 1 (0 points)

                                            Hi,

                                            Yes there is no template for any SystemExtension but Network Extensions.

                                            I didn't manage to get any custom SystemExtension to be loaded. I'll always get the following error:

                                             

                                            "Extension not found in App bundle" UserInfo={NSLocalizedDescription=Extension not found in App bundle}

                                             

                                            How ever you can use the Endpoint Security API directly in a daemon, you just need to run it as root. (And disable SIP)

                                             

                                            There is some 'documentation' within the header files of the EndpointSecurity Framework.

                                            You can find the headers here:

                                            /Applications/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/
                                        • Re: Installing SystemExtensions
                                          pluto Level 1 Level 1 (0 points)

                                          Looks like it is due to mismatct between extension filename and the bundle ID of the extension. correct that and you may be able to activate it. 

                                            • Re: Installing SystemExtensions
                                              dragonball Level 1 Level 1 (0 points)

                                              I figured this out early on.  It can find the extension it will always fail verification with:

                                               

                                              System extension request failed: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 9.)

                                               

                                              Unlike network extensions on iOS, the macOS Network Extension System Extension will create a NEMachServiceName and the Network Extension validation makes it "mandatory" that a matching App Group must be defined for the Mach service or it will fail validation.

                                               

                                              Solution:  Create a matching App Group (if you deleted it like I did) or...  delete App Group and NEMachServiceName (didn't try the latter)

                                            • Re: Installing SystemExtensions
                                              BoilerLA Level 1 Level 1 (0 points)

                                              Has anybody gotten an application with the system extension install entitlement to work on 10.14 and below? We have to support 10.14 obviously, but if we include the system extension install entitlement (com.apple.developer.system-extension.install) in our application's Info.plist (the applicatoin that contains the system extension) it immediately crashes with a bad code signature on 10.14 and below.  The application works (and system extension installs) on 10.15.

                                               

                                              If the entitlement isn't necessary, how do we get the extension to install on 10.15? We haven't gotten the extension to install correctly with SIP enabled without using this entitlement.