Hello, I've come across information regarding macOS endpoint protection software: It seems Apple no longer allows them to create kernel extensions. It seems that endpoint software should now function with MACF by implementing hooks from userland. Does this mean the Endpoint Security Framework will soon become deprecated? I'm currently searching for a sample source code for MACF hooks, but I haven't found anything in the Apple developer documentation. Thanks

Hello, I don't understand what is /System/Applications/ folder (macOS Sonoma). It is not an (hard)link to /Applications/. /Applications/ is not a (hard)link to /System/Applications/ Can anyone explain me what is /System/Applications/ ? Isn't it redundant to /Applications/ ? Thanks

Hello, I have tried to create a VZVirtualMachine macOS virtual machine on an Apple Silicon Mac. I have installed Docker Desktop inside this virtual machine. Docker is not working: I get this error message: "Hyopervisor check failed". Is there a way to run Docker inside a VZVirtualMachine ? Thanks a lot

Hello, It is possible to restrict Documents folder access with TCC. But when an applications shows a standard "file open" dialog, it is possible to access this directory to open a file. macOS allows file access in this case because it is an intentional action from user. So i suppose there is a kind of whitelist for all files path opened through "file open" dialog. I would like to know how i can access this whitelist and how i can remove entries. Thanks

Hello, I am trying to enumerate all ways on macOS for launching an application when a user opens a session. Please note i am not looking for a way which requires root or sudo privileges. I have found this: ~/Library/LaunchAgents/ Login Items (in macOS System Settings) But are there others ? Thanks

Hello, I am browsing with Safari. A website asks me to access my microphone (it is a Safari prompt dialog, not a system dialog). I am answering "yes, you can access to my microphone". Everything works fine, my microphone is allowed. Now, i am going to macOS system settings, in "Privacy & Security" section. I open "Microphone" sub section: And i don't see any entry for Safari. My question is ... Why ? Safari is accessing to my microphone at this moment and i don't see any grant information about this in system settings... Maybe apple allows his own softwares but this is not good for security... I hope it is not the same behaviour for full disk access grant... Thanks

Hello, I am trying to understand how macOS virtualization framework and Virtualization products work on M1 chips. I have tried Parallels Desktop. There are no third party kernel extensions (kext) installed with this product. When i plug an USB device on my mac, i get a popup asking me if i want to plug this device to my host mac or to the current Parallels virtual machine. How can this be possible without kext ? Device management is handled at kernel level... and there are no virtualization framework API for that... I have create a Linux virtual machine with Virtualization framework (similar to GNULinuxVirtualMachineSampleApp project): It works but I don't understand why i can't run Windows Virtual machines. Parallels Desktop seems to work with Virtualization framework too and this product can run ARM Windows Virtual Machine. How can they do that ? Is there a way to simulate key sending with Virtualization framework ? I have create a 64Gb disk (VZDiskImageStorageDeviceAttachment). I have a 64Gb file on my host mac, but i am using only 10Gb on the virtual machine at this moment. Is there a way to optimize the disk image file size ? VZVirtualMachine provides a "pause" method. I don't understand where the virtual machine state (RAM memory, ...) is saved on the host. Thanks a lot

Hello, I am trying to simulate a keystroke inside a macOS application. Here is what i've done: let src = CGEventSource(stateID: CGEventSourceStateID.hidSystemState) let cmd_down = CGEvent(keyboardEventSource: src, virtualKey: 0x38, keyDown: true) let cmd_up = CGEvent(keyboardEventSource: src, virtualKey: 0x38, keyDown: false) cmd_down?.post(tap: .cghidEventTap) cmd_up?.post(tap: .cghidEventTap) macOS is asking me to allow my application on TCC accessibility. This is a global privilege and needs admin rights. And i want to avoid that. Is there an alternative to simulate a key stroke inside my application ? Thanks

Hello, It is possible to restrict access to Desktop or Documents folder with TCC for a given application in macOS Preferences. For example Terminal is not allowed to access Documents folder. But i have see it is possible to write files or to create directory from Terminal ! I don't understand this behaviour. Is there a particular reason ? Thanks

Can you explain me why it is not possible to work with VZVirtualMachine on iOS ? iPad is working with the same ARM chips than mac. It would be great to create a Linux VM on an iPad pro for example... I am tossing a bottle into the sea... Thanks

Hello, There is something i do not understand about TCC: I have allowed Terminal app to Full Disk Access. I was able to open my current user's TCC.db file with sqlite3 from terminal. I was able to delete entries in access table with sqlite3. I had no errors, but these changes haven't been applied. My question is why was I able to modify TCC.db file ? Is there a specific thing to do to flush privileges ? I have a second question: When an application fires an NSOPenDialog on a cocoa application, the selected file access rule bypasses TCC. This is normal because this is an intent from user. But this file access seems to be stored somewhere because if i reboot computer, my cocoa application can read this file again, without NSOpenDialog opening. I have tried to look in current user's TCC.db file but i did not found anything. My question is: where is this information stored ? Thanks

Hello, Look at this SwiftUI view: struct ContentView: View { var body: some View { Text("Hello !") } } The Text("Hello") line is a closure. Am I wrong ? There is an implicit return. I can write this: struct ContentView: View { var body: some View { return Text("Hello !") } } I can put multiple lines like this: struct ContentView: View { var body: some View { Text("Hello !") Text("Hello2 !") } } I don't understand how works internally the implicit return in this case because we have 2 components. Also, can you explain me why i can't put a basic swift line code like this: struct ContentView: View { var body: some View { Text("Hello !") print("Hello") Text("Hello2 !") } } Thanks

Hello, My purpose is to understand how macOS works. Here is what i've done: I have wrote a c program on a M1 CPU with this lines: printf("Before breakpoint\n"); asm volatile("brk #0"); printf("After breakpoint\n"); When i run this program with lldb, a breakpoint is hit on the second line. So i suppose lldb is writing a "brk #0" instruction when we put a breakpoint manually. I can't continue to next line with lldb "c" command. PC stays on the brk instruction. I need to manually set PC to next instruction in lldb. Now, what i want to do is to create my own debugger. (I want to understand how lldb works). I have managed to ptrace the target program and i was able to catch an event with waitpid when "brk #0" is hit. But i don't know how i can increase PC value and continue execution because i can't do this on Silicon CPU: ptrace(PTRACE_GETREGS, child_pid, NULL, &regs); ptrace(PTRACE_SETREGS, child_pid, NULL, &regs); kill(child_pid, SIGCONT); So my question is: How does lldb managed to change ARM64 registers of a remote process ? Thanks

Hello, I am writing a Desktop application for macOS with XCode. This application will be available on app store. So, i have to put sandbox entitlement. So, this application won't be able to access Desktop folder. It will be jailed into a specific directory to store datas. I have installed a macOS application from appstore. When I launched this application, I got a TCC prompt, asking me to allow this application to access Desktop (or Downloads I don't remember). How can this be possible ? I have tried to write a sandboxed application which tries to access to Desktop folder. I didn't get any TCC prompt: My access was rejected. How can I ask to access Desktop folder from I sandboxed application ? Thanks a lot

Hello, Look at this basic C program: #include <stdio.h> int main() { printf("%llx\n", main); return 0; } The displayed address change on each run. This is due to ASLR. Is there a way to launch a program by forcing the main module's base address I would like to do something like that in my terminal: $ BASE_ADDRESS=0x10000 ./a.out How can i do that on mac os ? Is it possible to force base address loading for shared libraries too ? Thanks