I am trying to build a local endpoint for log collection using the Endpoint Security framework for research purposes. However, due to the agile nature of the project, I cannot apply for the necessary entitlements.
According to Apple's documentation, disabling SIP (System Integrity Protection) should allow binaries to run without entitlement checks. However, after compiling my binary and running it on a macOS system with SIP disabled, I still encounter a "permission denied" error.
Here are the steps I’ve taken so far:
csrutil disable.csrutil status.import Foundation
import EndpointSecurity
var client: OpaquePointer?
// create client and catch message
let res = es_new_client(&client) { (client, message) in
// messge process
}
// print error code
print("Result code: \(res)")
switch res {
case ES_NEW_CLIENT_RESULT_SUCCESS:
print("sucess")
case ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED:
print("error:lack of entitlement")
case ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED:
print("error: application does not have required system permissions")
case ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED:
print("error: root privileges required")
case ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT:
print("error: invalid argument")
case ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS:
print("error: maximum number of clients reached")
case ES_NEW_CLIENT_RESULT_ERR_INTERNAL:
print("error: internal error")
default:
print("unknown error: \(res)")
}
if res != ES_NEW_CLIENT_RESULT_SUCCESS {
exit(EXIT_FAILURE)
}
swiftc main.swift -o es_demo \
-framework Foundation \
-I /Library/Developer/CommandLineTools/SDKs/MacOSX14.4.sdk/usr/include \
-L /Library/Developer/CommandLineTools/SDKs/MacOSX14.4.sdk/usr/lib \
-lEndpointSecurity \
-sdk /Library/Developer/CommandLineTools/SDKs/MacOSX14.4.sdk
Result code: es_new_client_result_t(rawValue: 3)
error:lack of entitlement
I’d like to understand: