Posts

Post not yet marked as solved
5 Replies
4.3k Views
HI! I've compiled a command line utility written in plain C on macOS Monterey on macBook m1 pro. The compilation command is just following: clang -std=gnu11 -Wall -o my_run_ht run_ht.c ht.c It compiles fine but when I try running it, it is aborted with the following message: dyld[8385]: dyld cache '/System/Library/dyld/dyld_shared_cache_arm64e' not loaded: syscall to map cache into shared region failed dyld[8385]: Library not loaded: /usr/lib/libSystem.B.dylib Referenced from: /Users/sasha/Src/my/ht/run_ht Reason: tried: '/usr/lib/libSystem.B.dylib' (no such file), '/usr/local/lib/libSystem.B.dylib' (no such file) What is more strange that I can compile and run other command line utilities. So I'm quite puzzled and have no idea what is the reason for that and how to fix it. Could anybody please help me with this? Thanks in advance.
Posted
by ilowry.
Last updated
.
Post marked as solved
1 Replies
686 Views
The ES_EVENT_TYPE_AUTH_CREATE event can be fired either for a regular file or for a directory. Currently there is no such kind of information in the event structure. Is there any way to find out what exactly the kind of the object is being created right in the ES_EVENT_TYPE_AUTH_CREATE handler? Thanks in advance, Aleksandr Skobelev
Posted
by ilowry.
Last updated
.
Post marked as solved
1 Replies
620 Views
Hello everybody! I'm working on EndpointSequirity client and noticed that when I copy a file to an external flash card with FAT16 or exFAT file systems the ES_EVENT_TYPE_NOTIFY_CREATE event and the very first ES_EVENT_TYPE_NOTIFY_WRITE one have some fake value for st_ino field in their stat structures. For FAT it is 999999999, and for exFAT it is 1. Starting from the second write notification the stat structure gets a real inode number. It does not happen for APFS file system. Could someone please tell me this known behavior, and point me to a place where it is documented? For which other file systems can this also happen? Thanks in advance, Aleksandr Skobelev
Posted
by ilowry.
Last updated
.
Post marked as solved
3 Replies
1.3k Views
Hi all! I'm writing an enpoint security daemon, which is packed in an application bundle with embedded.provisionfile in its Contents folder. This daemon can be successfully loaded and started with launchctl on Big Sur with SIP disabled, but fails to run when SIP is enabled. The os log from kernel contains the following messages: (Sandbox) sandboxd rejected approval request from esservice for kTCCServiceSystemPolicyAllFiles(null): denied (EndpointSecurity) Task has not been granted user permission to connect Could anybody please explain me what could be the reason for this kind of messages? Is it a sign that something wrong with my provision profile file or something else? Thanks in advance, Aleksandr
Posted
by ilowry.
Last updated
.
Post marked as solved
2 Replies
2.5k Views
Hi! I'm trying to run SampleEndpointApp (https://developer.apple.com/documentation/endpointsecurity/monitoring_system_events_with_endpoint_security) on my machine with SIP disabled, but have no success in that. In system logs I can see the following messages: ... taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] com.example.apple-samplecode.SampleEndpointApp.Extension: Unsatisfied entitlements: com.apple.developer.endpoint-security.client ... taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Disallowing: com.example.apple-samplecode.SampleEndpointApp.Extension ... amfid: /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension signature not valid: -67671 ... kernel: mac_vnode_check_signature: /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension: code signature validation failed fatally: When validating /Library/SystemExtensions/B0C9A0DC-E8C6-46B9-804D-BEA0A1E5B362/com.example.apple-samplecode.SampleEndpointApp.Extension.systemextension/Contents/MacOS/com.example.apple-samplecode.SampleEndpointApp.Extension ...kernel: proc 5040: load code signature error 4 for file "com.example.apple-samplecode.SampleEndpointApp.Extension" As far as I understand it wants that my signature I used to sign the app and extension doesn't have proper entitlement? But https://developer.apple.com/system-extensions/ says: "…you can test system extensions on your Mac by temporarily turning off System Integrity Protection." So in theory I should be able to run ES extension on my machine. I'm on BigSur 11.3 if that matters. Could you please help me to understand what I could do improperly and how to fix that? Thanks in advance, Aleksandr
Posted
by ilowry.
Last updated
.
Post not yet marked as solved
0 Replies
521 Views
Hello!Hello could anybody tell me plase, what the `destinationOptions:` and `sourceOptions:` in `-[NSPersistentStoreCoordiantor replacePersistentStoreAtURL:destinationOptions:withPersistentStoreFromURL:sourceOptions:storeType:error:]` for?Does they matter at all in the case the destination store doesn't exist?Thanks in advance,Aleksandr Skobelev
Posted
by ilowry.
Last updated
.