Explore the core architecture of the operating system, including the kernel, memory management, and process scheduling.

Post

Replies

Boosts

Views

Activity

iOS writeback behavior for mmap(MAP_SHARED) dirty pages
I'm evaluating a technique to implement a sort of an event logger that uses MAP_SHARED mapping of a file in the app sandbox as an event ring buffer. The reason to use mapping instead of traditionally allocated memory is to achieve log persistence across app termination of any kind (crashes, sigkill, etc.) and keep logs fast by avoiding syscalls. By definition MAP_SHARED area must be coherent with any other RW operations in the system on that file slice which practically means that kernel has to use page cache that is used to serve RW requests. This in turn means that after app process terminates by any reason - content of that memory will not be discarded but rather will be available on next app start via open()/read() or mmap() for that file. msync() can be used to tell kernel to initiate "writeback" - to flush modified mapping pages to the corresponding locations in the non-volatile storage but I haven't found any description of what is the writeback policy if user opts to NOT use msync() at all. And similarly no means to control this. In my case it appears to be important as if kernel does some automatic writebacks on its own - intensive logger traffic would put unneeded IO load to a disk device. After some experiments I was able to figure out that e.g. Linux is able to issue periodical writebacks w/o explicit msync(). For OS X according to "fs_usage -f diskio" no writeback occurs until app terminates (better to say until last reference in the system to that MAP_SHARED area is dropped). I'm now interested to learn about iOS behavior. Is it the same as OS X (no automatic writebacks)? Alternatively I'd happy to hear if there are other techniques available for iOS app to "pin" some memory so its content could survive app termination. Shared memory with an associated "retainer" process would work on other platforms but here we are limited to a single process. Thanks.
5
0
485
Aug ’24
SMAppService.daemon initial pkg install
What I did. Started with the example at https://developer.apple.com/documentation/servicemanagement/updating-your-app-package-installer-to-use-the-new-service-management-api Changed it to configure a system daemon instead let service = SMAppService.daemon(plistName: "com.xpc.example.daemon.plist") Disabled automatic register in the package postinstall script (or else pkg install fails) Built/Installed the package, it just places files in the disk Validated install files Ran the test|register commands by hand sudo ../SMAppServiceSampleCode.app/Contents/MacOS/SMAppServiceSampleCode" register Dealt with System Settings user interaction to do this Validated that com.xpc.example.daemon is installed and ready to work sudo launchctl list | grep example sudo launchctl print system/com.xpc.example.daemon Got it to successfully do some work, YAY sudo ../SMAppServiceSampleCode.app/Contents/MacOS/SMAppServiceSampleCode" test Expectations My users would obviously download and install this pkg, so to make it easy for them. I would expect that I could call SMAppService.daemon(plistName: "...") .register() during the package postinstall installation step and the system daemon would be configured. Observations After getting all my teeth pulled why can't I just do that? Why so many hurdles for the dev and the end user, asking them to code sign this and that, notarize this and that, click here and there, accepting this and that? I understand the job of a developer but for the end user this should be relatively easy. Questions Do I need to start a DTS ticket to get this simple flow to work? It could be I'm missing step 42 in my endeavor :-)
0
0
320
Aug ’24
block all USB devices
Hello, I am working on app which must prevent attaching any USB devices to Mac due to security. Unfortunately I have not found any direct way to implement such blocking: Looks like IOKit does not allow to block USB (at least in user space) ES_EVENT_TYPE_AUTH_IOKIT_OPEN (Endpoint Security) does not prevent using USB device if I send response ES_AUTH_RESULT_DENY for "AppleUSBHostDeviceUserClient" I have found several similar problems on forum but no any solution: https://developer.apple.com/forums/thread/671193 (https://developer.apple.com/forums/thread/756573 https://developer.apple.com/forums/thread/741051 What is the easiest way to implement such blocking? Thank you in advance!
6
0
576
Aug ’24
Missing value for od_group_add & od_group_remove
I'm writing ES client, as part of that I want to monitor when an user is being added/removed to/from a group. From my understanding I should be able to get the name of the user with msg->event.od_group_remove->member->member_value.name.data but it looks like this field gets populated randomly. I will trigger similiar event a couple of times, for example adding user to a group and on one occasion this will hold value, on another it will be empty. I also tried to check different fields, and surprisingly od_create_user->user_name holds the name of the group I am editing, not the name of the user I am adding to the group (but I'm not sure if it should even be engaged at this point). Am I missing something? Is there a workaround? Or is this a bug?
3
0
343
Aug ’24
Daemon has reduced permissions after migrating from SMJobBless to SMAppService
Hello, I am working on updating an app to see if we can remove deprecated API usage, and am running into an issue after migrating from SMJobBless to SMAppService. If there is no current solution, I know that SMJobBless still works, but I wish to move to non-deprecated APIs whenever possible. The app is a text editor that installs a privileged helper for when users need to edit text files with root privileges. The example I'll use here is /etc/ssh/sshd_config. When using SMJobBless, the privileged helper was able to write to this location. When using SMAppService.daemon, the daemon is not able to write to this location. Neither the app nor the daemon are sandboxed. Both use the hardened runtime, and the daemon does not have any hardened runtime exceptions. I'm not sure how to attach a debugger to the daemon, but I was able to add logging to the daemon to confirm that getuid() and geteuid() are both 0, so the daemon appears to be running as root. However, the daemon is returning permission errors when attempting to replace the file. {Error Domain=NSPOSIXErrorDomain Code=1 "Operation not permitted"} I've tried both atomic saving and writing directly to the file. When this code is run by the privileged helper installed with SMJobBless, it works without permissions problems. Here is some simplified code I tried for atomic saving. do { let fileManager = FileManager.default try? fileManager.createDirectory(at: originalItemURL.deletingLastPathComponent(), withIntermediateDirectories: true) _ = try fileManager.replaceItemAt(originalItemURL, withItemAt: newItemURL, options: options) completionHandler(nil) } catch { completionHandler(error) } And the code for writing directly to the file do { try data.write(to: url) completionHandler(nil) } catch { completionHandler(error) } One thing I should note is that the privileged helper tool had a launchd plist embedded in the binary. When moving to SMAppService, I removed it from the build settings and added BundleProgram to it. It gets placed in my app bundle in Contents/Library/LaunchDaemons, while the daemon itself gets put in Contents/MacOS. The plist only contains the following keys: BundleProgram, Label, MachServices, and AssociatedBundleIdentifiers. is there anything additional I can do to give my daemon permission to edit these files, or do I need to stick with SMJobBless for the time being?
2
0
333
Aug ’24
Force Item Download in File Provider
I've file provider implementation where, in some cases, we must force download items, so they get materialized in local cache. I've used requestdownloadforitem based on following documentation https://developer.apple.com/documentation/fileprovider/nsfileprovidermanager/requestdownloadforitem(withidentifier:requestedrange:) I'm calling this within Extension code, but this does not trigger the download. How can I force file provider to download a file? cheers,
1
0
333
Aug ’24
Transparent Proxy Provider, UDP, mbufs, and inevitable panics
First, for the  employees reading, I filed FB14844573 over the weekend, because this is a reproducible panic or hang. whee I ran our stress tests for an entire long weekend, and my machine panicked, due to mbufs. Normally, I tell my coworkers that we can't really do anything to cause a panic -- but we're doing network things, so this is an exception. I started periodically testing the mbufs while the tests were running -- netstat -m | grep 'mbufs in use' -- and noticed that in fact they were going up, and never decreasing. Even if I killed our code and uninstalled the extensions. (They're increasing at about ~4mbufs/sec.) Today I confirmed that this only happens if we include UDP packets: let udpRule = NENetworkRule(destinationNetwork: host, prefix: 0, protocol: .UDP) let tcpRule = NENetworkRule(destinationNetwork: host, prefix: 0, protocol: .TCP) ... settings.includedNetworkRules = [udpRule, tcpRule] If I comment out that udpRule, part, mbufs don't leak. Our handleNewUDPFlow(:, initialRemoteEndpoint:) method checks to see if the application is a friendly one, and if so it returns false. If it isn't friendly, we want to block QUIC packets: if let host = endpoint as? NWHostEndpoint { if host.port == "80" || host.port == "443" { // We need to open it and then close it flow.open(withLocalEndpoint: nil) { error in Self.workQueue.asyncAfter(deadline: .now() + 0.01) { let err = error ?? POSIXError(POSIXErrorCode.ECONNABORTED) flow.closeReadWithError(err) flow.closeWriteWithError(err) } } return true } } return false Has anyone else run into this? I can't see that it's my problem at that point, since the only thing we do with UDP flows is to either say "we don't want it, you handle it" or "ok sure, we'll take it but then let's close it immediately".
3
0
313
Aug ’24
Does CallKit have a call waiting timeout?
Hello, We are implementing an mVOIP service using CallKit. I have a question. When receiving a call with CallKit, the CXEndCallAction callback is received by the provider after one minute. We didn't request this separately on our end. Is this a policy from Apple? If so, is it possible to modify this behavior, and are there any related APIs or documentation? Thank you.
1
1
353
Aug ’24
MacOS 15 beta freezes
While using a variety of apps in MacOS15 beta 6 & 7 they will freeze. It seems like they happen when you stop typing in Pages or while doing something Preview. Forcing it to quit and restarting sometime allows sometime more progress but it is very slow. Printing is unworkable. This first started in Beta 6 and I hoped Beta 7 would fix it but no, it seems to be worse. I'm using a Mac M2 Mini with 24 Gb of memory. No problems with Mail or Safari. Haven't tried working with Xcode
1
0
354
Aug ’24
Unable to commission with wifi device using iOS matter framework
Hi there: Following document: https://developer.apple.com/documentation/mattersupport to add wifi sensor to my own fabric. I added MatterExtension, Matter Allow Setup Payload = YES, Add following to info.plist _matter._tcp _matterc._udp _matterd._udp _meshcop._udp I can still not get callback from MatterAddDeviceExtensionRequestHandler commissionDevice. I know print log can not be seen in Extension, but I can still not see any logs even use os_log.
2
0
343
Aug ’24
macOS Sequoia 15.1 Beta 2 fails to install as Virtual Machine using Apple's "RunningMacOSInAVirtualMachineOnAppleSilicon" sample project
Every time I attempt to install the macOS Sequoia 15.1 Beta 2 IPSW (UniversalMac_15.1_24B5024e_Restore.ipsw) it fails with the following error in installWithCompletionHandler: Error Domain=com.apple.MobileDevice.MobileRestore Code=3194 "Declined to authorize this DFU file on this device for this user." UserInfo={NSLocalizedDescription=Declined to authorize this DFU file on this device for this user., NSLocalizedFailureReason=Bei der Installation ist ein unbekannter Fehler aufgetreten.} I'm running macOS Sonoma 14.6.1, tried with both MobileDevice.pkg from Xcode 16 beta installed and with the official Device Support for macOS 15 beta installed. In either cases it fails with the same error. The upgrade also fails within a VM for both macOS Sequoia 15.0 Beta 7 and macOS Sequoia 15.1 Beta 2. After pressing Update Now in System Settings › General › Software Update the VM restarts and shows a crash report which unfortunately doesn't contain any useful info (and can't be sent since Apple ID login is only supported with a macOS 15 host...) Anyone know how to solve this?
4
0
1k
Aug ’24
Does Live Caller ID Lookup entirely replace Call SIP content, or are they ever combined?
If an iPhone receives an incoming call with some partial sip content (for example it contains a name but not an image, or vice versa) and if there is an app enabled for Live Caller ID Lookup, and the result of that lookup supplies data not in the sip (i.e. the lookup returns an image, but not a name, or vice versa). Then could the OS combine data from both sources, or is whatever is returned from the LCIDL what gets displayed in the call screen. I suppose that is the case but just want to enquire to make sure. Thank you
3
0
332
Aug ’24
terminal input buffer size
Hi all. When in terminal I run the command that reads user input from stdin, for example base64 , I can paste or type up to 1024 characters (bytes). After that terminal starts beeping and does not allow me to type or paste anymore input. Where is the terminal input buffer set and how can I increase it? Thank you
2
0
308
Aug ’24
How to make Bluetooth transfer rate faster
I used two iphones to transfer data via Bluetooth, and the MTU used 512 bytes.I got 56bps in withResponse mode and around 200bps in withoutResponse mode.I wonder how to achieve a faster rate.Let's say LE 1Mbps mode or LE 2Mbps mode.My central device and peripheral device are both iPhone, I don't know if there is a limit between them.My goal is just to know how can I achieve a faster rate 1、Two iphones connected to Bluetooth 2、Test separately with withoutResponse and withResponse 3、Calculate the transmission rate per second 4、In withoutResponse mode, the peripheral receives about 46 packets of 512 bytes per second 5、In withResponse mode, the peripheral receives about 13 packets of 512 bytes per second 6、So I get rates of 56bps and 200bps
1
0
439
Aug ’24
iPad os 18.1 not visible on iPad Pro m4
I have an iPad Pro M4 version. I have updated my iPad with iPad os 18 beta 7 but I can’t find the iPad is 18.1 beta 2. It’s just not showing. when I go to software updates and click it.. it only allows me to select iPad os 18 public beta and iPad os 18 developer beta. There is no iPad os 18.1 developer beta option in it. Plz help
2
1
468
Aug ’24
iOS 18 public beta not working
So I was in the UK and downloaded iOS 18 publicr beta and updated to it then I went on holiday to a country that doesnt support iOS public betas and now I’m back in the uk and a new public beta has been released and it’s not showing up help I lobe the update I need nee features
1
0
355
Aug ’24