I'm looking at the JSON of an .ips crash report on macOS 12.3. "uptime" : 21000, "procLaunch" : "2022-03-28 12:12:34.0643 +0200", "procRole" : "Unspecified", "version" : 2, "userID" : 0, "deployVersion" : 210, "modelCode" : "MacBookPro18,1", "procStartAbsTime" : 514306295821, "coalitionID" : 2566, "osVersion" : { "train" : "macOS 12.3", "build" : "21E230", "releaseType" : "User" }, "captureTime" : "2022-03-28 12:12:45.1086 +0200", "incident" : "3B40D69B-0019-46D7-AD93-B73D02A4B636", "bug_type" : "309", "pid" : 17162, "procExitAbsTime" : 514570783723, I was expecting the field procStartAbsTime and procExitAbsTime to be UNIX timestamps, but that would result in dates in 1986. What format are they and how can they be converted? Also I noticed that BigSur creates both the old .crash and the new .ips format crash reports, even for the exact same crash, not at the same time though. So one time it creates a .crash, the next time an .ips.

macOS Sonoma 14.4 Xcode 15.3 Hi, I'm experimenting with C++/Swift interop and am following the official documentation, especially the section "Using Swift APIs of Imported Framework Target". I'm able to call Swift code from C++ when both Swift and C++ source files belong to the same app bundle or framework target, by importing the -Swift.h header. However, I'm not able to import the Swift code from a framework using a different C++ target. This is my test project setup: testApp is my app bundle and subprocesses is my framework, containing the auto-generated and unchanged subprocesses.h and some example swift code with a single public function. The subprocesses framework is added as a dependency to testApp and the framework has the C++ interoperability enabled. But when I try to import the auto-generated -Swift.h in main.cpp, it doesn't show up. What do I need to do so that I can call Swift framework code in a different C++ target? I think I've done everything according to the documentation. Thanks! Addendum I've also experimented with Apple's Xcode example projects. The "Mixing Languages in an Xcode project" (Link) works as expected. I was able to add a command line app target, and when I add the Fibonacci framework as a dependency, I'm able to use #include <Fibonacci/Fibonacci-Swift.h> and access the Swift API. However, the second of Apple's examples, "Calling APIs Across Language Boundaries" (Link) fails to compile out of the box (No member named 'createForest' in 'ForestBuilder::MagicForest').

I need to generate a compile_commands.json for our C++ project. I need it for static code analysis tools as well as enabling clangd usage with other editors. I've tried two methods but it only works for some files with clangd. The logs of the clangd extension in VS Code indicate only that many files can't be compiled. If it works for a file, it's great, but sadly it's not consistent. I've used these two approaches to generate the compile_commands.json: using xcpretty xcrun xcodebuild -projectmyproject.xcodeproj -scheme myscheme clean build CODE_SIGNING_ALLOWED=NO | xcpretty -r json-compilation-database -o build/compile_commands.json the recommended way by sonarcloud xcrun xcodebuild -project myproject.xcodeproj -scheme myscheme \ -configuration Debug clean build CODE_SIGNING_ALLOWED=NO OTHER_CFLAGS="\$(inherited) -gen-cdb-fragment-path \$(PROJECT_DIR)/CompilationDatabase" sed -e '1s/^/[\'$'\n''/' -e '$s/,$/\'$'\n'']/' MacOS/Source/CompilationDatabase/*.json > MacOS/Source/compile_commands.json Is there something missing or are there better ways to generate the compile_commands.json without having to write a full cmake definition?

The pidversion of a process with the same pid can increase during its lifetime. Which events, other than exec calls, can cause this increase in the pidversion? In other words, to what Endpoint Security events, other than fork, exec and exit, do I have to subscribe to get a process's complete and traceable pidversion history?

Our customers are large enterprises and we need to be able to collect traces on our customers' endpoints in support cases. Especially critical are performance problems. So far we've instructed our customers to use ktrace: sudo ktrace artrace -p appname --type=profile We would then open this trace in Instruments with the CPU profile and load our own symbols. The problem is, that symbols for system libraries are missing. In one instance we see that all of the high load is coming from a syscall made by libpcap. But all symbols other than our own are missing. How can we collect traces which include those symbols? I tried to use ktrace symbolicate in tests where I recorded a trace and then used ktrace symbolicate to collect system lib symbols, but it fails for most libraries, including libpcap and the syscalls. This is somewhat surprising, because dyld_info -exports /usr/lib/libpcap.A.dylib is able to print the symbols including offsets. So what is the recommended workflow for this scenario? Installing Xcode is of course not an option on a customer machine, especially not in an enterprise scenario.

I couldn't find an event type to subscribe to for identifying user logins (SSH, GUI). As an alternative approach I investigated the possibility of monitoring process events e.g. for loginwindow. However, I noticed that this doesn't seem to work either, because the user id and audit session id changes from root 0/system session 100001 right after exec to the respective user's id (e.g. 501) and his gui session id (e.g.100005) after successful authentication. Since I couldn't find any evidence for a fork or exec event, I assume that something like setuid is used internally. Is there any way one could get notified for events which change the process' context (like setuid or a session id change)? Are there events for user logins/sessions I've overlooked?

Hi, I have a macOS app bundle with multiple binaries. I can create an archive, notarize it and export the app bundle all within Xcode. But when I try to export the archive from the command line I get an error message: ╰─$ xcodebuild -exportArchive -archivePath myarchive.xcarchive -exportOptionsPlist myarchiveExportOptions.plist -exportPath ~/Desktop -verbose 2021-12-06 09:03:39.241 xcodebuild[15117:509468] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/qj/55jnf34d0dz7nrjmw9kkvj6c0000gn/T/....xcdistributionlogs". error: exportArchive: helperBinary does not support provisioning profiles. Error Domain=IDEProvisioningErrorDomain Code=10 "helperBinary does not support provisioning profiles." UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=helperBinary does not support provisioning profiles., NSLocalizedRecoverySuggestion=helperBinary does not support provisioning profiles, but provisioning profile someName distribution has been manually specified. Remove this item from the "provisioningProfiles" dictionary in your Export Options property list.} ** EXPORT FAILED ** This is the export options plist I use (that's the one Xcode has exported): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>destination</key> <string>export</string> <key>method</key> <string>developer-id</string> <key>provisioningProfiles</key> <dict> <key>...</key> <string>someName distribution</string> </dict> <key>signingCertificate</key> <string>Developer ID Application</string> <key>signingStyle</key> <string>manual</string> <key>teamID</key> <string>...</string> </dict> </plist> How can I exclude the helper binary for the provisioning profile during the export of the archive? The main executable uses endpoint security.

Hi, I have a macOS app bundle with multiple binaries. I can create an archive, notarize it and export the app bundle all within Xcode. But when I try to export the archive from the command line I get an error message: ╰─$ xcodebuild -exportArchive -archivePath myarchive.xcarchive -exportOptionsPlist myarchiveExportOptions.plist -exportPath ~/Desktop -verbose 2021-12-06 09:03:39.241 xcodebuild[15117:509468] [MT] IDEDistribution: -[IDEDistributionLogging _createLoggingBundleAtPath:]: Created bundle at path "/var/folders/qj/55jnf34d0dz7nrjmw9kkvj6c0000gn/T/....xcdistributionlogs". error: exportArchive: helperBinary does not support provisioning profiles. Error Domain=IDEProvisioningErrorDomain Code=10 "helperBinary does not support provisioning profiles." UserInfo={IDEDistributionIssueSeverity=3, NSLocalizedDescription=helperBinary does not support provisioning profiles., NSLocalizedRecoverySuggestion=helperBinary does not support provisioning profiles, but provisioning profile "$myprofile distribution" has been manually specified. Remove this item from the "provisioningProfiles" dictionary in your Export Options property list.} ** EXPORT FAILED ** This is the export options plist I use (that's the one Xcode has exported): <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>destination</key> <string>export</string> <key>method</key> <string>developer-id</string> <key>provisioningProfiles</key> <dict> <key>$BUNDLE_ID</key> <string>"$myprofile distribution"</string> </dict> <key>signingCertificate</key> <string>Developer ID Application</string> <key>signingStyle</key> <string>manual</string> <key>teamID</key> <string>...</string> </dict> </plist> How can I exclude the helper binary for the provisioning profile during the export of the archive? The main executable uses endpoint security. I tried to add a second key for the helper binary to specify no provisioning profile, but that didn't work either. Note: I already posted this question but wasn't able to edit it anymore. So I had to repost it in order to improve the readability (not ideal).

We distribute an macOS app bundle with a main executable, a helper executable, a nested app bundle and an XPCService. myApp.app └── Contents ├── _CodeSignature │ └── CodeResources ├── embedded.provisionprofile ├── Info.plist ├── MacOS │ ├── myHelperApp.app │ │ └── Contents... │ ├── mainExecutable │ └── helperExecutable ├── PkgInfo └── XPCServices └── myXPCService.xpc └── Contents... Our mainExecutable requires FullDiskAccess and the helperExecutable requires Accessibility Access. Since this a product for enterprise customers, the TCC permissions usually get granted via a PPPC profile. What would be a good bundle identifier naming scheme for such a structure? com.example.myApp for the main app bundle/executable and com.example.myApp.helperExecutable etc. for all additional targets? When creating the PPPC profile, do I only refer to the bundle identifier of the main bundle com.example.myApp? If so, does that mean that every executable in that bundle has these privileges? At least this is what the manual approach would suggest, where the user can drag an entire app bundle to the privacy settings. The helperExecutable gets copied into the bundle during the build process. But when it is run from its Xcode scheme, it is run from the build directory, outside the final bundle. This requires the helper binary to be extra granted Accessibility permissions, at least during development. Is there a better way? Thanks (Quinn)!

FB9843414 Just encountered a very annoying bug in Xcode. Let's say you want to link a static library like C++ fmt. If the directory you specify as library search path contains both a dynamic libfmt.dylib as well as the static libfmt.a version of that library, Xcode will choose the .dylib version - regardless whether you explicitly specified the .a binary under the target's build phases. Hopefully this nasty bug can finally be fixed. This stackoverflow post is over 4 years old, but saved my sanity.

We noticed that sometimes exec messages delivered by Endpoint Security contain unexpected data since Ventura: When a script is executed by a shell, like zsh, the process data for the responsible and the target process are identical, including the pidversion - but only sporadically. At first, I thought that it might be the case that pidversions are not incremented when a process execs into the same image. But my tests showed that this is not the case, and the pidversion is incremented in any case. I also tried to trigger this behavior with a program basically recursively execs into itself, but that worked as expected. So far, I've only observed this behavior with shell scripts. Here is an example: (lldb) p *(msg->process) (es_process_t) $7 = { audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 12196, [6] = 100873, [7] = 29277) } ppid = 10691 original_ppid = 10691 group_id = 10691 session_id = 10691 codesigning_flags = 570493697 is_platform_binary = true is_es_client = false cdhash = "\U00000017\x8e$Y\xd0Z\x90\x8f\x92S\xc3s\xff<\x9c\xd6\xe2a\U00000011V" signing_id = (length = 13, data = "com.apple.zsh") team_id = (length = 0, data = 0x0000000000000000) executable = 0x00000001036bb1e8 tty = nullptr start_time = (tv_sec = 1669896286, tv_usec = 191693) responsible_audit_token = { val = ([0] = 501, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10682, [6] = 100349, [7] = 24944) } parent_audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10691, [6] = 100873, [7] = 24963) } } (lldb) p *(msg->event.exec.target) (es_process_t) $8 = { audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 12196, [6] = 100873, [7] = 29277) } ppid = 10691 original_ppid = 10691 group_id = 10691 session_id = 10691 codesigning_flags = 570493697 is_platform_binary = true is_es_client = false cdhash = "\U00000017\x8e$Y\xd0Z\x90\x8f\x92S\xc3s\xff<\x9c\xd6\xe2a\U00000011V" signing_id = (length = 13, data = "com.apple.zsh") team_id = (length = 0, data = 0x0000000000000000) executable = 0x00000001036bba00 tty = nullptr start_time = (tv_sec = 1669896286, tv_usec = 191693) responsible_audit_token = { val = ([0] = 501, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10682, [6] = 100349, [7] = 24944) } parent_audit_token = { val = ([0] = 4294967295, [1] = 0, [2] = 0, [3] = 0, [4] = 0, [5] = 10691, [6] = 100873, [7] = 24963) } } Is this an error in Endpoint Security, or am I missing something here? Steps to reproduce execute a script repeatedly to trigger the behavior, e.g. for i in {1..200000}; do ./script1.sh > /dev/null; # sleep 1; still happens, but you have to wait longer done in another terminal you can use eslogger like this sudo eslogger exec | jq 'if .process.audit_token.pidversion == .event.exec.target.audit_token.pidversion then "\(input_line_number) pidversion did not change: \(.process.audit_token.pidversion == .event.exec.target.audit_token.pidversion) \(.process.executable.path) -> \(.event.exec.target.executable.path)" else empty end' which could output something like this: "3211638 pidversion did not change: true /bin/zsh -> /bin/zsh"

I'm working on an enterprise product that's mainly a daemon (with Endpoint Security) without any GUI component. I'm looking into the update process for daemons/agents that was introduced with Ventura (Link), but I have to say that the entire process is just deeply unfun. Really can't stress this enough how unfun. Anyway... The product bundle now contains a dedicated Swift executable that calls SMAppService.register for both the daemon and agent. It registers the app in the system preferences login items menu, but I also get an error. Error registering daemon: Error Domain=SMAppServiceErrorDomain Code=1 "Operation not permitted" UserInfo={NSLocalizedFailureReason=Operation not permitted} What could be the reason? I wouldn't need to activate the items, I just need them to be added to the list, so that I can control them via launchctl. Which leads me to my next question, how can I control bundled daemons/agents via launchctl? I tried to use launchctl enable and bootstrap, just like I do with daemons under /Library/LaunchDaemons, but all I get is sudo launchctl enable system/com.identifier.daemon sudo launchctl bootstrap /Path/to/daemon/launchdplist/inside/bundle/Library/LaunchDaemons/com.blub.plist Bootstrap failed: 5: Input/output error (not super helpful error message) I'm really frustrated by the complexity of this process and all of its pitfalls.

I've been trying very unsuccessfully to get the Filtering Network Traffic example code to work. I've read many forum posts but I still wasn't able to figure it out. I download the example project and set my development team for both targets. From then on the project is configured to create unique bundle identifiers and app group. Signing and provisioning profile is created and managed by Xcode with all the necessary entitlements. I am able to build the app (debug with provisioning profile) and then copy it to /Applications. I open the app, click start, enable and allow the network extension. Activity Monitor shows that the extension is running. But when I test local connections to port 8888 nothing happens in the app, the connection are just allowed. I tested with the following setup: create a local webserver with python3 -m http.server 8888 and make a request via curl and the webbrowser normal tcp connection with nc (nc -l 8888 and nc localhost 8888) I added lots of logging and I can see that the startFilter method is called, but never the handleNewFlow method. The only error I see in Console is networkd_settings_read_from_file Sandbox is preventing this process from reading networkd settings file at "/Library/Preferences/com.apple.networkd.plist", please add an exception. but don't know what to do about that. I also read the debugging guide (very helpful). I'm used to jump through a lot of hoops with this stuff, but I can't figure out what the problem is.

I'm building a tool for admins in the enterprise context. The app needs to do some things as root, such as executing a script. I was hoping to implement a workflow where the user clicks a button, then will be shown the authentication prompt, enter the credentials and then execute the desired action. However, I couldn't find a way to implement this. AuthorizationExecuteWithPrivileges looked promising, but that's deprecated since 10.7. I've now tried to use a launch daemon that's contained in the app bundle with XPC, but that seems overly complicated and has several downsides (daemon with global machservice and the approval of a launch daemon suggests to the user that something's always running in the background). Also I'd like to stream the output of the executed scripts in real time back to the UI which seems very complicated to implement in this fashion. Is there a better way to enable an app to perform authorized privilege escalation for certain actions? What about privileged helper tools? I couldn't find any documentation about them. I know privilege escalation is not allowed in the App Store, but that's not relevant for us.

When I want to add libcurl as a dependency I add libcurl.4.tbd under Link Binary with Libraries and it works. As I understand it these tbd files are stub libraries to enable the linking process for dynamic libraries while keeping the Xcode SDK download small (by replacing the actual dylib with a kind of placeholder). When I open the libcurl.4.tbd in Xcode, it lists under install-name /usr/lib/libcurl.4.dylib and I expected to find this file. But I can't find the actual libcurl.4.dylib at this dir nor anywhere else on my system. otool -L gives me same filepath. How is the linking handled in this case and where is the actual dylib located? I've learned that libcurl.4.dylib actually resides within a shared cache file unter /System/Library/dyld. I'm running macOS 11.1 What's the benefit instead of just placing the dylib under the specified path like /usr/lib/?