Apps/files do not open when the result is cached with es_respond_flags_result

Hi all,


I have been able to reproduce a scenario where apps/files do not open when I subscribe to ES_EVENT_TYPE_AUTH_OPEN and set caching to true while authorizing the opening of a file by responding to es_respond_flags_result(,,,).


In details, If I subscribe to ES_EVENT_TYPE_AUTH_OPEN event and set bool cache = true in es_respond_flags_result(,,,)

es_handler_block_t file_cbk = ^(es_client_t *client, const es_message_t *msg)
{
     log_event_message(msg); // just to log events to the console
     int32_t flag = msg->event.open.fflag; // getting the file-opening mask
     es_respond_result_t res = es_respond_flags_result(client, msg, flag, true);
     // simply allowing all files to open and cache the result
     if (ES_RESPOND_RESULT_SUCCESS != res)
          LOG_ERROR("es_respond_auth_result: %d", res);
};

Whatever application or file that I open leads me to some EPERM popup, "The Application cannot be opened" and complete unresponsiveness of the machine with occasional spinning beach balls. As you can see, I am not doing any sort of processing with the file event messages (apart from just logging to the console) - I'm simply allowing all file open operations and caching the results.

This issue with es_respond_flags_result(,,,) only appears if I cache the event result; without caching everything works as expected. However, if I subscribe to ES_EVENT_TYPE_AUTH_EXEC event and respond using es_respond_auth_result(,,,) authorizing the execution of a process with the caching parameter set to true, everything seems to work gracefully.


I am completely new to Objective C so there's a high chance of doing something wrong - please LMK if I am handling the event messages in an undesired fashion and suggest me the way it should be handled. If this is a known/duplicate issue, please point me to the relevant ticket or guide me on the way forward.

Also added a 2 min screen recording illustrating the issue (Unlisted video): https://youtu.be/R9zSpHk72_Q


Looking forward to your help and support...



Thanks!
Uddalak

Up vote post of Uddalak Down vote post of Uddalak
3.3k views
Posted by
Uddalak
Reply
Add a Comment

Replies

Uddalak pinged me about this via email and I want to post a follow-up here just to make sure we’re all on the same page:

  • DevForums is an informal support channel. I try to answer what I can in the time that I have available but I can’t make any guarantees.

  • If you don’t get an answer via informal support channels — DevForums, Stack Overflow, and so on — my advice is that you seek formal support by opening DTS tech support incident.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thanks Quinn!

I will be opening a DTS Code Level support. But before that, I have few unknown questions that I would like to discuss so as to have more context regarding the problem before seeking DTS.
When I use 0x7fffffff as an authorized_flags value for es_respond_flags_result(,,,) - It works perfectly with caching set to true. I found this flag as part of the thread opened by Bill_Chui (https://forums.developer.apple.com/thread/133635). Surprisingly, setting this authorized flag to 0x7fffffff (or INT_MAX) makes caching with ES_EVENT_TYPE_AUTH_OPEN work without a glitch! I have few queries around this:
1. Is 0x7fffffff the correct flag that we need to set while responding to ES_EVENT_TYPE_AUTH_OPEN ?
2. Afaik, setting authorized flag 0x7fffffff with es_respond_flags_result, typically means authorizing the file open events with all intended flags. In this case, if a user opens a file with Read-Only mode and ES client authorizes the file open event with 0x7fffffff and caching the event result - does it mean that ES client will grant the subsequent Read-Only file events will all set of permissible flags ?
3. What is being cached here as part of event result - If I authorize a file open with 0x7fffffff, does ES subsystem cache all the subsequent events with 0x7fffffff ?
I would like to get answers to these three queries before I raise a DTS so that I could have a better idea about the problem/unknows here. Which would also be helpful for Apple to understand what exactly I'm trying to achieve with my app.
PS: I am working with SIP and AMFI disabled (sudo nvram boot-args="amfi_get_out_of_my_way=0x1”). I'm afraid I might hit the case which is mentioned here https://forums.developer.apple.com/thread/133635 after I test my app with SIP enabled and production signed. I wonder if I need to raise a separate DTS for this hang issue.

Posted by
Uddalak
Up vote reply of Uddalak Down vote reply of Uddalak
Add a Comment
hi Uddalak,
I got the same problem, do you have any progress?

Posted by
WangZiYuan
Up vote reply of WangZiYuan Down vote reply of WangZiYuan
Add a Comment
I can’t speak for Uddalak but my general advice on this topic is that you watch WWDC 2020 Session 10159 Build an Endpoint Security app. It’s packed full of useful info about EndpointSecurity, including some specific tips about caching.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi. After my test, return 0xffffffff (Apple recommendation 0xffffffff) is correct. And, the return value 0xffffffff does not affect the logic of the original program, whether it was originally read-only or read-write.

Posted by
qifengle
Up vote reply of qifengle Down vote reply of qifengle
Add a Comment

Hi, I am having the same issue that Uddalak described. But in my case this only happens when I attach Xcode's debugger to my system extension. As soon as I do it the entire system becomes unresponsive for 30 secs until my app is killed (no crash log). It doesn't matter if I use the 0x7fffffff or 0xffffffff flags or if I cache the response or not.

In my event handler block I allow all events, like this:

es_respond_flags_result(client, msg, 0x7fffffff, true)
Posted by
santalvarez
Up vote reply of santalvarez Down vote reply of santalvarez
Add a Comment

But in my case this only happens when I attach Xcode's debugger to my system extension.

You can’t debug an ES system extension interactively. See this post for the details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment