After many tests I finally found a solution. Apparently the & at the end of the command is whats causing the issue in Sonoma. So I had to replace this command: /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension & With this one: /usr/bin/open /Applications/myapp.app --args --load-system-extension And now it works perfectly! Im still curious about those better ways to activate an extension.

I found a solution similar to what Quinn suggested on Google's Project Santa's github. I just ported it to swift. Here it is: let deadline = DispatchTime(uptimeNanoseconds: cMsg.pointee.deadline) - .seconds(2) let handlerSemaphore = DispatchSemaphore(value: 0) handlerSemaphore.signal() let deadlineSemaphore = DispatchSemaphore(value: 0) queue.asyncAfter(deadline: deadline) { // Check if event handler has already responded if handlerSemaphore.wait(timeout: .now()) == .timedOut { // Event handler already responded so exit return } // Deadline met, event handler still processing, default to allow self.allowMessage(cMsg) deadlineSemaphore.signal() } queue.async { // Process auth event and respond handleAuthEvent(cMsg) // Check if deadline was met if handlerSemaphore.wait(timeout: .now()) == .timedOut { // Wait for deadline block to allow the message, then free deadlineSemaphore.wait() } self.freeMessage(cMsg) }

Hi, I am having the same issue that Uddalak described. But in my case this only happens when I attach Xcode's debugger to my system extension. As soon as I do it the entire system becomes unresponsive for 30 secs until my app is killed (no crash log). It doesn't matter if I use the 0x7fffffff or 0xffffffff flags or if I cache the response or not. In my event handler block I allow all events, like this: es_respond_flags_result(client, msg, 0x7fffffff, true)

As per Quinns request here is a more detailed version of my code static func handleProcessExec(_ msg: UnsafePointer<es_message_t>) {     let target = msg.pointee.event.exec.target.pointee guard msg.pointee.process.pointee.is_es_client == false else {      es_respond_auth_result(esClient.client!, msg, ES_AUTH_RESULT_ALLOW, true)       return     }     // copy message so it can be used on another thread     guard let copiedMessage = copyMessage(msg) else {       es_respond_auth_result(esClient.client!, msg, ES_AUTH_RESULT_DENY, false)       return     }     DispatchQueue.global().async { var process: ProcessDetails? = nil let deadline = DispatchTime(uptimeNanoseconds: copiedMessage.pointee.deadline - (2*NSEC_PER_SEC)) let semaphore = DispatchSemaphore(value: 0) // RuleResult contains what rule matched and if we should allow/deny var result = RuleResult() let timestamp = copiedMessage.pointee.time.tv_sec DispatchQueue.global().async { process = ProcessDetails(process: copiedMessage.pointee.event.exec.target.pointee) ESEventRulesRunner.runProcessExecRules(process: process!, &result) semaphore.signal()        }       _ = semaphore.wait(timeout: deadline)       es_respond_auth_result(esClient.client!, copiedMessage, result.verdict, false)       if result.verdict == ES_AUTH_RESULT_DENY {         // Log event to api let event = ESEvent(process: process!, timestamp: timestamp, ruleType: result.type)         Api.postEvent(event: event) }       freeMessage(copiedMessage)     }       }

Ok I found out what is happening but I need help fixing it. Look at this code // Inside function that handles process exec messages     guard let copiedMessage = copyMessage(msg) else {       es_respond_auth_result(esClient.client!, msg, ES_AUTH_RESULT_ALLOW, false)        return     }     DispatchQueue.global().async { var process: ProcessDetails? = nil        let deadline = copiedMessage.pointee.deadline let semaphore = DispatchSemaphore(value: 0) DispatchQueue.global().async { // This may take some time          process = ProcessDetails(process: copiedMessage.pointee.event.exec.target.pointee) semaphore.signal()       }       _ = semaphore.wait(timeout: DispatchTime(uptimeNanoseconds: deadline - (2 * NSEC_PER_SEC)))       es_respond_auth_result(...)       freeMessage(copiedMessage)     } I am calling description inside my ProcessDetails class, the problem is that if the timeout of the semaphore runs out I will free the copiedMessage but the initialization of ProcessDetails is still going so that results in a crash. How could I kill that seconds thread before freeing the message? Or should I somehow set another semaphore and wait for that thread to finish (even though I already responded to the message) to free the message?

12-17-2021 Xcode Version 13.2 (13C90) MBP 13-inch,i7, 2017, macOS 11.6.1 I honestly can't believe how after all this years the bug is still there. It is extremely anoying to have to restart Xcode everytime I want to test something in playgrounds

Quinn, as you said, for apps as big as XCode this can be very slow. I understand I can cache the result but if I am doing this in the context of an ES_EVENT_TYPE_AUTH_EXEC I would be blocking the first execution of Xcode for a long time before my analysis finishes. What would you do in my case?

Turns out I was setting the exportedInterface instead of the remoteObjectInterface on the NSXPCConnection.

Another question I had about the willCompleteAfterReboot is why is this called? I want to better understand this problem I am having about extensions needing a reboot to complete an upgrade. What is preventing the system from starting my extension without the need of a reboot? I am using a Network Extension, if I were to add Endpoint Security to my extension would something in the activation process change? I can't see antivirus software that uses this framework requiring a reboot for every update to their extension.

Would manually deactivating my System Extension before installing the new version help? I was thinking about doing that in the preinstall script of my pkg installer by executing the container app with a uninstall parameter like this: /Applications/app/Contents/MacOS/app --unload-extension