hello all,
while experimenting with the Endpoint Security demo code, especially the ES_EVENT_TYPE_AUTH_EXEC and ES_EVENT_TYPE_AUTHP_OPEN, I need some questions answered.
(1) While blocking or allowing a process launch via es_respons_auth_resiult() it generated a nice "This Application ... can't be opened dialog" the es_response_flags_result() to prevent a file from being opened is not fully clear.
The flags are not documented (or I haven't found it yet). If I respond with the original event flags the file is allowed, great. If I respond for example with a 0 to mask out the 1 (I guess open for read), the file open fails with input/output error. In the old KEXT world when deniying a file open, the system responded with a "access denied" error code. Is there anything in these flags to get the same response?
(2) will the es client be able to open all files for which it receives event messages? with running as root and with SIP disabled it seems to work.
also, is the es client allowed / enabled to open additional files without any deadlock?
(3) with the proper entitlement, is the es client able to run as non-root user? can this be a lauch daemon?
Thanks
Frank Fenn
Sophos Inc.