System Extension crashing

Seeing the followng on CONSOLE when the extension is repeatedly crashing ( when system tries to load )


com.forcepoint.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client


Of course, the Firewall extension is based on (network server side) network extension. Since I need an EP sec extension, looks like some conflict that it can not be an extension client ( while it is already an extension serverf ) ... NOT SURE though.


What is the right way to CRUFT an EP sec module ???


Thanks

prokash

Accepted Reply

If you’re trying to created an EndpointSecurity system extension (as opposed to a daemon that uses the EndpointSecurity API), see this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Replies

So basically I'm looking for a way to have a System Extension to be able to register as a client to EP security Infrastructure.


When I take the security.client attribute ( i.e. key ), I can proceed but the registration fails with --

ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED


Why am I thinking this way ?


It will help us to have fairly simple migration path from our existing KAUTH based implementation. Which is to replace the kext with the system extension. Otherwise there would be major architectual change.


Any advices, please ??


May be due to security ( hardening ) reason(s), it does not allow to have that entitlement in a system extension, which I don't understand.


If it is not going to be allowed, that is fine too. I just need to get some confirmation.


Thanks,

Prokash

If you’re trying to created an EndpointSecurity system extension (as opposed to a daemon that uses the EndpointSecurity API), see this thread.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

Thanx a bunch, Eskimo !


Really appreciate the help(s).


Let me look at the link you provided (i.e. Ur explanation there ).


Basically, I would be happy if I could get a System Extension that has both the network extension and EP sec capabilities. This will help us a lot in terms of migrating to no kext and kernel ctl socket based from the existing kext based design.


-Prokash

After following your link ---

First things first, check that your bundle’s

CFBundlePackageType
property is
SYSX
. It’s easy to miss this, and it’ll give exactly the error you’re seeing.

If that’s not it, the problem is most likely with your entitlements. Your extension really needs the

com.apple.developer.endpoint-security.client
entitlement. If you haven’t yet been granted it by Apple, you should disable SIP on your test Mac, which allows you use the entitlement even though you don’t have a provisioning profile to whitelist it.


And modifying boot-args -

nvram -p | grep boot-args

boot-args amfi_get_out_of_my_way=0x1


I GET THE EP SECURITY running till to the check for root, then it exits since the code is that way... I can now run Xcode under root, and debug thru, while the network extension side is running... NO MORE repeated crashing at load time ( while the system tries to load the system extension repeatedly )...


Thanks once 'gain.

Prokash

Ah, still there are some subtle diffences that I don't understand...


If I create a command line App from the EP sec example from Okram's github, I can debug thru xcode ( once I launched the xcode from root's command line).


But it does not work ( i.e. superuser privilage fails ) when I try the same steps with the Firewall extension that has the same code embedded in it.


-prokash