ES_EVENT_TYPE_AUTH_OPEN makes system no response?

I use sample code from [https://developer.apple.com/documentation/endpointsecurity/client?language=objc] but replace ES_EVENT_TYPE_AUTH_EXEC to ES_EVENT_TYPE_AUTH_OPEN, this is the full code:


int main(int argc, const char** argv) {
    @autoreleasepool {
        es_client_t *client = NULL;
        es_new_client_result_t newClientResult =
        es_new_client(&client,
                      ^(es_client_t * client, const es_message_t * message) {
            switch (message->event_type) {
                case ES_EVENT_TYPE_AUTH_OPEN:
                    printf("auth open\n");
                    es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, true);
                    break;
                default:
                    panic("Found unexpected event type: %i", message->event_type);
                    break;
            }
        });


        // Handle any errors encountered while creating the client.
        switch (newClientResult) {
            case ES_NEW_CLIENT_RESULT_SUCCESS:
                // Client created successfully; continue.
                break;
            case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED:
                panic("Extension is missing entitlement.");
                break;
            case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED:
                panic ("Extension is not running as root.");
                break;
            case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED:
                // Prompt user to perform Transparency, Consent,
                // and Control (TCC) approval.
                // This error is recoverable; the user can try again after
                // approving the TCC prompt.
                // return YOUR_NEW_CLIENT_ERROR_CODE_PROMPT_TCC;
                break;
            case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT:
                panic ("Invalid argument to es_new_client(); client or handler was null.");
                break;
            case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS:
                panic ("Exceeded maximum number of simultaneously-connected ES clients.");
                break;
            case ES_NEW_CLIENT_RESULT_ERR_INTERNAL:
                panic ("Failed to connect to the Endpoint Security subsystem.");
                break;
        }


        // Subscribe the client to the ES_EVENT_TYPE_AUTH_EXEC event.
        // When the client receives a message with this event type, it must authorize
        // (allow or deny) the event.
        es_event_type_t eventTypes[1] = { ES_EVENT_TYPE_AUTH_OPEN };
        es_return_t subscribeResult = es_subscribe(client, eventTypes, sizeof(eventTypes));
        if (subscribeResult != ES_RETURN_SUCCESS) {
            panic ("Client failed to subscribe to event.");
        }
        
        NSRunLoop *runLoop = [NSRunLoop currentRunLoop];
        [runLoop run];
    }
}

I run this code in xcode, then mouse cursor be a colorful circle and rotating, application exited after about 10 seconds, xcode print:

Message from debugger: Terminated due to signal 9

Program ended with exit code: 9

if I subscribe ES_EVENT_TYPE_NOTIFY_OPEN ES_EVENT_TYPE_NOTIFY_CLOSE, it works. What can I do for fix this?

Up vote post of jiayi_wu_ Down vote post of jiayi_wu_
245 views
Posted by
jiayi_wu_
Reply
Add a Comment

Replies

I think that for _AUTH_OPEN events you need to respond with es_respond_flags_result() instead of es_respond_auth_result()?

Also, the last argument to es_subscribe() can be wrong, it probably should be 1 instead of sizeof(eventTypes) (Apple code is buggy in several examples).

Posted by
MistyFog
Post not yet marked as solved Up vote reply of MistyFog Down vote reply of MistyFog

  • You are right! thanks a lot

    jiayi_wu_
Add a Comment