Method for checking activation status of an [Endpoint Security] system extension.

Originator:burcea.bogdan.madalin
Number:rdar://FB8936914 Date Originated:11-Dec-2020
Status:Open Resolved:No
Product:SystemExtensions Framework Product Version:macOS 10.15.4 and up
Classification:Suggestion Reproducible:Yes
 
Hello,

I've been working with system extensions on macOS Catalina / Big Sur (Endpoint Security extensions to be precise) and I think there should be a non-intrusive way of determining whether or not a system extension has been approved by the user. You can of course use an activation OSSystemExtensionRequest and determine through the OSSystemExtensionRequestDelegate whether the user needs to approve it (a 'requestNeedsUserApproval:' message is passed) or if the extension has been loaded into the system (a 'request:didFinishWithResult:' message is passed). That's great but the major drawback is that making such a request when the extension is not loaded also starts the action of loading the system extension: The user is shown a system popup window and the 'Allow' request shows up in System Preferences > Security & Privacy.

I think being able to check this is very useful. Say, for instance, you have an app with optional features, one of which requires the activation of a system extension. If we could check the load status of that system extension, we could display to the user a proper UI that can either:
- suggest that it could be activated and, if/when they choose to do so, start the loading process and guide the user;
- show to the user that it is already approved and working;

There are some ways to achieve this that I've thought about, but they seem to be hacks rather than a proper way of doing things:
1) Trying to parse the output of 'systemextensionsctl list'. It seems problematic since an extension can appear multiple times in here (based on succesive activations / deactivations) and also since the output isn't particularly documented.
2) Opening an NSXPCListener from inside the system extension and determining the activation status of the extension by whether or not a process can connect to this.
3) Attempting to look for a TeamId.com.mybundle.identifier daemon process either through something like SMCopyAllJobDictionaries (now deprecated) or by parsing the output of a 'launchctl' command, such as 'sudo launchctl list TeamId.com.mybundle.identifier 2>&1 | grep PID'.

My suggestion is to add support in OSSystemExtensionRequest for checking the activation status of a system extension.

Comments

Also made an apple developer forums post here: https://developer.apple.com/forums/thread/669206

By burcea.bogdan.madalin at Jan. 22, 2021, 2:04 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!