theevilbit / shield Goto Github PK

I have lots of background processes spawning DYLD_INSERT_LIBRARIES notifications… simply launching iTerm or updating Homebrew will spawn those, and lots of my own scripts & agents too, and also third-party software like fs protection updating the database in /usr/local.

Can't say what happens during boot.

So I believe that a whitelist functionality should come with some kind of learning mode that persists across logouts or reboots, so the user can run Shield in that state for a day or half a day, and when the user stops learning mode, Shield will present all the recorded events for the user to approve or block.

PS: learning mode should still include notifications, so in effect it would be standard monitor mode plus learning mode.

The connection to the XPC helper is validated here:

This results in the requirement string:

anchor trusted and identifier "com.csaba.fitzl.shield" and certificate leaf[subject.OU] = "33YRLYRBYV"

According to Apple's documentation, the "anchor" syntax can be used as:

• anchor apple: Apple's own code
• anchor apple generic: Apple's own code and certificates issued by Apple to Apple Developers
• anchor trusted: signed by a code signing certificate that is trusted according to the system's Trust Settings database

Almost all applications I've seen that use a requirement string for validating an XPC connection use anchor apple generic. Shield is one of the few apps I found that use anchor trusted.

If I understand the documentation correctly, any code signing certificate issued by one of the system trusted roots could be used if it has an OrganizationalUnit (OU) of "33YRLYRBYV". Obviously, Apple would not issue such a certificate to another developer, but other roots might. Because the OU field typically refers to a unit in a company, it is very likely that it would be possible to obtain a code signing certificate with an arbitrary value in that field. (Because code signing certificates are not free, I have not actually tried that.) With that certificate it would be possible to sign apps that can communicate with the extension.

Catalina: Shield forgets the user settings in preferences, i.e. the "injection protection settings", after quit and relaunch.

On Catalina, the Shield monitor won't start. When I click on "Install System Extension", nothing happens, no password prompt. When I click on "Uninstall System Extension", I get the password prompt, but then, when trying to install again, nothing happens.

Hi :-)
It seems that it does not start automatically, must do it manually from the menu.
version 1.2 macOS 11.4

macOS: 12.1
Architecture: ARM64 (M1)
Shield Version: v1.2

Issue

After installing Shield and approving the System Extension I tried to start it via the drop down menu. However when I click Start I get the following.

Fix

Grant "Shield System Extension" Full Disk Access in System Preferences.

Request

Could you make the error message more descriptive?

If Shield needs Full Disk Access (FDA) it would be useful to display a message telling users to grant FDA. I believe some of the Objective-See tools have logic to detect if FDA has been granted and show a screen with instructions if it has not.

I use deep sleep (a.k.a. hibernation) instead of regular sleep, including destruction of FileVault keys, i.e. RAM content is written to disk.

After installing Shield (and having it run at time of deep sleep), strange things happen during wake after entering my FileVault password:

• waking from this state takes very long, almost one minute
• this includes a spinning beachball on the login screen
• Shield itself is disabled afterwards

This disabling of Shield only seems to affect the app itself, not the system extension. Trying stop and restart from the menu doesn't work. I actually have to quit and relaunch Shield, and only then start the watcher. Only then the Shield notifications will return.

That's why I think that it has nothing to do with the system extension. But maybe—because macOS unloads the system extension before hibernation—the Shield app doesn't know what to do when the SEXT is gone without an actual command from the app itself, and before it can do or find anything, macOS will start hibernation, and then, at wake, Shield tries to continue that process, but eventually fails or times out, ergo spinning beach ball. (?)

To replicate, here are my pm settings (2018 MBP, i9, maxed-out, Catalina 10.15.7):

❯ pmset -g
System-wide power settings:
 DestroyFVKeyOnStandby		1
Currently in use:
 standby              1
 standbydelaylow      30
 womp                 0
 halfdim              0
 hibernatefile        /var/vm/sleepimage
 proximitywake        0
 gpuswitch            2
 powernap             0
 networkoversleep     0
 disksleep            25
 standbydelayhigh     30
 sleep                5
 hibernatemode        25
 ttyskeepawake        0
 displaysleep         5
 tcpkeepalive         0
 highstandbythreshold 100
 acwake               0
 lidwake              0

Catalina: Shield displays the mode as "Blocking", even when "blocking mode" is disabled in Shield Preferences.

com.csaba.fitzl.shield.Extension crashes on startup irrespective of option "launch at startup" and freezes the OS for a while.
Relevant logs :
com.csaba.fitzl.shield.Extension-2021-07-10-122902.ips.txt
com.csaba.fitzl.shield.Extension_2021-07-10-122901_ViRo3s-MacBook-Pro.crash.txt

OS Version : 12.0 Beta (21A5268h)
Apple Silicon
Shield v1.2

Could you add a headless mode option to remove the Menu Bar icon while Shield is running?

ShieldExtension* sed =

macOS Version: macOS 11.2 (20D64)
Kernel Version: Darwin 20.3.0
Shield Version: v0.9.5
User Type: Admin
Terminal Full Disk Access: Yes
SIP: Enabled

While discovering #11 I noticed that the value of isRunning is not consistantly updated in the PREFS_FILE (com.csaba.fitzl.shield.preferences.plist) when the UI Preferences Toggle is changed or the Menu Bar menu is used to start/ stop shield.

It appears that the value of isRunning being updated in com.csaba.fitzl.shield.preferences.plist is linked to value of isBlocking being changed.

Steps to Reproduce

1. Open Shield Preferences
2. Disable all injection protection settings
   • This is not necessary for reproduction it just makes it easier to read the defaults output later on
3. Enable Shield and enable blocking mode
4. Execute defaults read /Library/Application\ Support/Shield/com.csaba.fitzl.shield.preferences.plist
   • The result should be:

isBlocking = 1;
isRunning = 1;

5. Disable Shield via the Shield Preferences UI or Menu Bar UI
6. Execute defaults read /Library/Application\ Support/Shield/com.csaba.fitzl.shield.preferences.plist
   • The result should be:

isBlocking = 1;
isRunning = 1;

• However the Shield Preferences UI and Menu Bar UI will indicate that Shield is stopped

7. Disable Blocking Mode
8. Execute defaults read /Library/Application\ Support/Shield/com.csaba.fitzl.shield.preferences.plist
   • The result should be:

isBlocking = 0;
isRunning = 0;

9. Enable Shield via the Shield Preferences UI or Menu Bar UI
   • Execute defaults read /Library/Application\ Support/Shield/com.csaba.fitzl.shield.preferences.plist
   • The result should be:

isBlocking = 0;
isRunning = 0;

These steps also work if you start with Blocking Mode disabled and enable it in step 7 rather than disabling it.

The value of isRunning is also not updated if you close the Shield Preferences window then execute the defaults read command.

I know that whitelists are on the ToDo list, but for starters, a display of the process name in the Shield notification would be nice. It works for some injections, but not all.

Example: I'm currently getting injection warnings during normal browser operations.

Safari extensions produce a dylib hijacking warning, and the path is included.

In the Firefox browser, however, I'm getting an environment variable injection warning, but no path, just "victim process", so I can't say what process is behind it. It happens whenever I open a URL/link in a new browser tab, so I assume that it's the system-wide Adguard adblocker (running as a network extension)… but it might also be 1Password or the Adobe PDF web extension (NativeMessagingHost).

Or it's Firefox itself and its extensions. (?)

EDIT: it's not Adguard, because other apps/browsers also managed by Adguard do not spawn a Shield notification.

macOS Version: macOS 11.2 (20D64)
Kernel Version: Darwin 20.3.0
Shield Version: v0.9.5
User Type: Admin
Terminal Full Disk Access: Yes
SIP: Enabled

Trying to access the Shield preferences via defaults using the BUNDLE_ID & HELPER_BUNDLE_ID (as defined in Constants.h) produces the following errors

$ defaults read com.csaba.fitzl.shield.ShieldHelper
2021-02-08 23:36:29.790 defaults[8539:479032] 
Domain com.csaba.fitzl.shield.ShieldHelper does not exist


$ defaults read com.csaba.fitzl.shield             
2021-02-08 23:40:52.026 defaults[8715:483516] 
Domain com.csaba.fitzl.shield does not exist

To access the Shield preferences you need to use the full path of the preferences file which is DIR_PATH_ES + PREFS_FILE (as defined in Constants.h).

$ defaults read /Library/Application\ Support/Shield/com.csaba.fitzl.shield.preferences.plist
{
    isBlocking = 1;
...
}

You mentioned in the v0.9.5 release notes that you've been using some of the Objective-See code, this works fine for OverSight (defaults read com.objective-see.OverSight) but not BlockBlock so the implementation of preferences in OverSight might help debug this.

Shield s.ext fails to install on newer macOS with above error along with a freeze (with potential to panic on boot) when it did work (filed)

(No logs for this bug as it just fails to install)

I think the if-statement on line 256 was intended to refer to environment instead of env:

env shouldn't ever be nil, because it is initialized as an NSMutableArray.

If an environment variable contains invalid UTF8 (which is entirely legal on macOS), then convertStringToken will return nil. Due to the wrong check, a nil object will be added to an NSMutableArray, which raises an exception (likely crashing the process).

See also objective-see/LuLu#305 for a similar bug.

Says that it must be run from applications folder, but it was launched from there.

This is a tiny nitpick issue.

In Shield's Preferences the title of the switch which enables or disables shield is "start/ stop" which is the opposite from the toggle position. When the toggle switch is to the right Shield is started not stopped.

The title string below

could be changed to

title="stop / start system extension"

to correct this.