search

HarfangLab / endpoint-sec

Rust Bindings for Endpoint Security
https://docs.rs/endpoint-sec/
Apache License 2.0
21 stars 5 forks source link

Support macOS 15 SDK #52

Open roblabla opened 5 months ago

roblabla commented 5 months ago

Xcode 16 beta came out at WWDC24, and with it came a new SDK for macOS15.

Apple reformatted the header (and in the process broke a bunch of pretty comments), which made diffing more complicated than in needed to be.

Here's a cleaned up diff ```diff diff --color Documents/foss/MacOSX-SDKs/MacOSX14.5.sdk/usr/include/EndpointSecurity/ESMessage.h /Users/roblabla/Downloads/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/ESMessage.h 89a91 > * ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE 394a397,399 > * @note Not all AUTH_KEXTLOAD events can be delivered. > * In rare circumstances when kextloading is blocking all userspace execution it will be automatically allowed. > * NOTIFY_KEXTLOAD will still be (eventually) delivered. 465a471,480 > // The following types are used in mount events > typedef enum { > ES_MOUNT_DISPOSITION_EXTERNAL, // device is external storage > ES_MOUNT_DISPOSITION_INTERNAL, // device is internal storage > ES_MOUNT_DISPOSITION_NETWORK, // device is a network share > ES_MOUNT_DISPOSITION_VIRTUAL, // device is virtual (dmg or file) > ES_MOUNT_DISPOSITION_NULLFS, // mount uses nullfs, commonly for app translocation > ES_MOUNT_DISPOSITION_UNKNOWN // unable to determine disposition > } es_mount_disposition_t; > 469a485 > * @field disposition The device disposition of the f_mntfromname 474,475c490,492 < struct statfs * _Nonnull statfs; < uint8_t reserved[64]; --- > struct statfs *_Nonnull statfs; > es_mount_disposition_t disposition; /* field available only if message version >= 8 */ > uint8_t reserved[60]; 494,495c511,514 < * < * @note This event type does not support caching. --- > * @field remount_flags The provided remount flags > * @field disposition The device disposition of the f_mntfromname > > * @note This event type does not support caching (notify-only). 498,499c517,520 < struct statfs * _Nonnull statfs; < uint8_t reserved[64]; --- > struct statfs *_Nonnull statfs; > uint64_t remount_flags; /* field available only if message version >= 8 */ > es_mount_disposition_t disposition; /* field available only if message version >= 8 */ > uint8_t reserved[52]; 1028a1051 > * @field instigator The process that instigated the materialize operation. 1030a1054 > * @field instigator_token Audit token of the process that instigated this event. 1035,1038c1059,1063 < es_process_t * _Nonnull instigator; < es_file_t * _Nonnull source; < es_file_t * _Nonnull target; < uint8_t reserved[64]; --- > es_process_t *_Nullable instigator; > es_file_t *_Nonnull source; > es_file_t *_Nonnull target; > audit_token_t instigator_token; // Available in msg versions >= 8. > uint8_t reserved[32]; 1478,1489c1503,1515 < * @field instigator Process that instigated the authentication < * (XPC caller that asked for authentication). < * @field record_type OD record type against which OD is authenticating. < * Typically "Users", but other record types can auth too. < * @field record_name OD record name against which OD is authenticating. < * For record type "Users", this is the username. < * @field node_name OD node against which OD is authenticating. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated the authentication > * (XPC caller that asked for authentication). > * @field record_type OD record type against which OD is authenticating. > * Typically "Users", but other record types can auth too. > * @field record_name OD record name against which OD is authenticating. > * For record type "Users", this is the username. > * @field node_name OD node against which OD is authenticating. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 1492c1518 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 1496a1523 > audit_token_t instigator_token; // Available in msg versions >= 8. 1507,1514c1534,1542 < * @field instigator Process that instigated the authentication < * (XPC caller that asked for authentication). < * @field touchid_mode TouchID authentication type < * @field has_uid Describes whether or not the uid of the user authenticated is available < * @field uid Union that is valid when `has_uid` is set to `true` < * @field uid.uid uid of user that was authenticated. < * This will be set when `success` is true and `touchid_mode` is of < * verification type i.e. ES_TOUCHID_MODE_VERIFICATION --- > * @field instigator Process that instigated the authentication > * (XPC caller that asked for authentication). > * @field touchid_mode TouchID authentication type > * @field has_uid Describes whether or not the uid of the user authenticated is available > * @field uid Union that is valid when `has_uid` is set to `true` > * @field uid.uid uid of user that was authenticated. > * This will be set when `success` is true and `touchid_mode` is of > * verification type i.e. ES_TOUCHID_MODE_VERIFICATION > * @field instigator_token Audit token of the process that instigated this event. 1517c1545 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 1522a1551 > audit_token_t instigator_token; // Available in msg versions >= 8. 1528,1533c1557,1564 < * @field instigator Process that instigated the authentication < * (XPC caller that asked for authentication). < * @field pubkey_hash Hash of the public key which CryptoTokenKit is authenticating. < * @field token_id Token identifier of the event which CryptoTokenKit is authenticating. < * @field kerberos_principal Optional. This will be available if token is used for GSS PKINIT < * authentication for obtaining a kerberos TGT. NULL in all other cases. --- > * @field instigator Process that instigated the authentication > * (XPC caller that asked for authentication). > * @field pubkey_hash Hash of the public key which CryptoTokenKit is authenticating. > * @field token_id Token identifier of the event which CryptoTokenKit is authenticating. > * @field kerberos_principal Optional. This will be available if token is used for GSS PKINIT > * authentication for obtaining a kerberos TGT. NULL in all other cases. > * @field instigator_token Audit token of the process that instigated this event. > * 1536c1567 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 1539a1571 > audit_token_t instigator_token; // Available in msg versions >= 8. 1878a1913,1914 > * @field instigator_token Audit token of the process that instigated this event. > * @field app_token Audit token of the app process that registered the item. 1889a1926,1927 > audit_token_t *_Nullable instigator_token; // Available in msg versions >= 8. > audit_token_t *_Nullable app_token; // Available in msg versions >= 8. 1900a1939,1940 > * @field instigator_token Audit token of the process that instigated this event. > * @field app_token Audit token of the app process that removed the item. 1905,1907c1945,1949 < es_process_t * _Nullable instigator; < es_process_t * _Nullable app; < es_btm_launch_item_t * _Nonnull item; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable app; > es_btm_launch_item_t *_Nonnull item; > audit_token_t *_Nullable instigator_token; // Available in msg versions >= 8. > audit_token_t *_Nullable app_token; // Available in msg versions >= 8. 1951,1962d1991 < * @brief This enum describes the type of plugin types in sudo < */ < typedef enum { < ES_SUDO_PLUGIN_TYPE_UNKNOWN, < ES_SUDO_PLUGIN_TYPE_FRONT_END, < ES_SUDO_PLUGIN_TYPE_POLICY, < ES_SUDO_PLUGIN_TYPE_IO, < ES_SUDO_PLUGIN_TYPE_AUDIT, < ES_SUDO_PLUGIN_TYPE_APPROVAL, < } es_sudo_plugin_type_t; < < /** 1982,1983c2011,2012 < * @field from_uid Optional. The uid of the user who initiated the su < * @field from_name Optional. The name of the user who initiated the su --- > * @field from_uid Optional. The uid of the user who initiated the sudo > * @field from_username Optional. The username of the user who initiated the sudo 2018c2047,2048 < * @field item Profile install item. --- > * @field profile Profile install item. > * @field instigator_token Audit token of the process that instigated this event. 2024c2053 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2026c2055,2056 < es_profile_t * _Nonnull profile; --- > es_profile_t *_Nonnull profile; > audit_token_t instigator_token; // Available in msg versions >= 8. 2032c2062,2063 < * @field item Profile being removed. --- > * @field profile Profile being removed. > * @field instigator_token Audit token of the process that instigated this event. 2038,2039c2068,2070 < es_process_t * _Nonnull instigator; < es_profile_t * _Nonnull profile; --- > es_process_t *_Nullable instigator; > es_profile_t *_Nonnull profile; > audit_token_t instigator_token; // Available in msg versions >= 8. 2049a2081,2082 > * @field instigator_token Audit token of the process that submitted the petition. > * @field petitioner_token Audit token of the process that created the petition. 2054,2055c2087,2088 < es_process_t * _Nonnull instigator; < es_process_t * _Nullable petitioner; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable petitioner; 2058c2091,2093 < es_string_token_t * _Nullable rights; --- > es_string_token_t *_Nullable rights; > audit_token_t instigator_token; // Available in msg versions >= 8. > audit_token_t petitioner_token; // Available in msg versions >= 8. 2084a2120,2121 > * @field instigator_token Audit token of the process that submitted the petition. > * @field petitioner_token Audit token of the process that created the petition. 2089,2090c2126,2127 < es_process_t * _Nonnull instigator; < es_process_t * _Nullable petitioner; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable petitioner; 2093c2130,2132 < es_authorization_result_t * _Nullable results; --- > es_authorization_result_t *_Nullable results; > audit_token_t instigator_token; // Available in msg versions >= 8. > audit_token_t petitioner_token; // Available in msg versions >= 8. 2114,2122c2153,2162 < * @field instigator Process that instigated operation (XPC caller). < * @field group_name The group to which the member was added. < * @field member The identity of the member added. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field group_name The group to which the member was added. > * @field member The identity of the member added. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2129c2169 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2134a2175 > audit_token_t instigator_token; // Available in msg versions >= 8. 2140,2148c2181,2190 < * @field instigator Process that instigated operation (XPC caller). < * @field group_name The group from which the member was removed. < * @field member The identity of the member removed. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field group_name The group from which the member was removed. > * @field member The identity of the member removed. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2155c2197 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2160a2203 > audit_token_t instigator_token; // Available in msg versions >= 8. 2185,2195c2227,2238 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field group_name The group for which members were set. < * @field members Array of new members. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field group_name The group for which members were set. > * @field members Array of new members. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2202c2245 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2207a2251 > audit_token_t instigator_token; // Available in msg versions >= 8. 2213,2223c2257,2268 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field account_type The type of the account for which the password was modified. < * @field account_name The name of the account for which the password was modified. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field account_type The type of the account for which the password was modified. > * @field account_name The name of the account for which the password was modified. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2228c2273 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2233a2279 > audit_token_t instigator_token; // Available in msg versions >= 8. 2239,2248c2285,2295 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was disabled. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was disabled. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2253c2300 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2257a2305 > audit_token_t instigator_token; // Available in msg versions >= 8. 2263,2272c2311,2321 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was enabled. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was enabled. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2277c2326 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2281a2331 > audit_token_t instigator_token; // Available in msg versions >= 8. 2287,2299c2337,2350 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field record_type The type of the record to which the attribute value was added. < * @field record_name The name of the record to which the attribute value was added. < * @field attribute_name The name of the attribute to which the value was added. < * @field attribute_value The value that was added. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field record_type The type of the record to which the attribute value was added. > * @field record_name The name of the record to which the attribute value was added. > * @field attribute_name The name of the attribute to which the value was added. > * @field attribute_value The value that was added. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2300a2352 > * 2307c2359 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2314a2367 > audit_token_t instigator_token; // Available in msg versions >= 8. 2320,2332c2373,2386 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field record_type The type of the record from which the attribute value was removed. < * @field record_name The name of the record from which the attribute value was removed. < * @field attribute_name The name of the attribute from which the value was removed. < * @field attribute_value The value that was removed. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field record_type The type of the record from which the attribute value was removed. > * @field record_name The name of the record from which the attribute value was removed. > * @field attribute_name The name of the attribute from which the value was removed. > * @field attribute_value The value that was removed. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2341c2395 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2348a2403 > audit_token_t instigator_token; // Available in msg versions >= 8. 2367a2423 > * @field instigator_token Audit token of the process that instigated this event. 2376c2432 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2384a2441 > audit_token_t instigator_token; // Available in msg versions >= 8. 2390,2399c2447,2457 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was created. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was created. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2404c2462 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2408a2467 > audit_token_t instigator_token; // Available in msg versions >= 8. 2414,2423c2473,2483 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the group that was created. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field group_name The name of the group that was created. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2428c2488 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2432a2493 > audit_token_t instigator_token; // Available in msg versions >= 8. 2438,2447c2499,2509 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was deleted. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was deleted. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2452c2514 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2456a2519 > audit_token_t instigator_token; // Available in msg versions >= 8. 2462,2471c2525,2535 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the group that was deleted. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field group_name The name of the group that was deleted. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2476c2541 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2480a2546 > audit_token_t instigator_token; // Available in msg versions >= 8. 2496a2563,2580 > * @brief Notification for a gatekeeper_user_override events. > * > * @field file_type The type of the file field. If Endpoint security can't lookup the file at event > * submission it will emit a path instead of an es_file_t > * @field file Describes the target file that is being overridden by the user > * > * @note This event type does not support caching (notify-only). > * > */ > typedef struct { > es_gatekeeper_user_override_file_type_t file_type; > union { > es_string_token_t file_path; > es_file_t *_Nonnull file; > } file; > } es_event_gatekeeper_user_override_t; > > /** 2574,2608c2658,2693 < es_event_authentication_t * _Nonnull authentication; < es_event_xp_malware_detected_t * _Nonnull xp_malware_detected; < es_event_xp_malware_remediated_t * _Nonnull xp_malware_remediated; < es_event_lw_session_login_t * _Nonnull lw_session_login; < es_event_lw_session_logout_t * _Nonnull lw_session_logout; < es_event_lw_session_lock_t * _Nonnull lw_session_lock; < es_event_lw_session_unlock_t * _Nonnull lw_session_unlock; < es_event_screensharing_attach_t * _Nonnull screensharing_attach; < es_event_screensharing_detach_t * _Nonnull screensharing_detach; < es_event_openssh_login_t * _Nonnull openssh_login; < es_event_openssh_logout_t * _Nonnull openssh_logout; < es_event_login_login_t * _Nonnull login_login; < es_event_login_logout_t * _Nonnull login_logout; < es_event_btm_launch_item_add_t * _Nonnull btm_launch_item_add; < es_event_btm_launch_item_remove_t * _Nonnull btm_launch_item_remove; < es_event_profile_add_t * _Nonnull profile_add; < es_event_profile_remove_t * _Nonnull profile_remove; < es_event_su_t * _Nonnull su; < es_event_authorization_petition_t * _Nonnull authorization_petition; < es_event_authorization_judgement_t * _Nonnull authorization_judgement; < es_event_sudo_t * _Nonnull sudo; < es_event_od_group_add_t * _Nonnull od_group_add; < es_event_od_group_remove_t * _Nonnull od_group_remove; < es_event_od_group_set_t * _Nonnull od_group_set; < es_event_od_modify_password_t * _Nonnull od_modify_password; < es_event_od_disable_user_t * _Nonnull od_disable_user; < es_event_od_enable_user_t * _Nonnull od_enable_user; < es_event_od_attribute_value_add_t * _Nonnull od_attribute_value_add; < es_event_od_attribute_value_remove_t * _Nonnull od_attribute_value_remove; < es_event_od_attribute_set_t * _Nonnull od_attribute_set; < es_event_od_create_user_t * _Nonnull od_create_user; < es_event_od_create_group_t * _Nonnull od_create_group; < es_event_od_delete_user_t * _Nonnull od_delete_user; < es_event_od_delete_group_t * _Nonnull od_delete_group; < es_event_xpc_connect_t * _Nonnull xpc_connect; --- > es_event_authentication_t *_Nonnull authentication; > es_event_xp_malware_detected_t *_Nonnull xp_malware_detected; > es_event_xp_malware_remediated_t *_Nonnull xp_malware_remediated; > es_event_lw_session_login_t *_Nonnull lw_session_login; > es_event_lw_session_logout_t *_Nonnull lw_session_logout; > es_event_lw_session_lock_t *_Nonnull lw_session_lock; > es_event_lw_session_unlock_t *_Nonnull lw_session_unlock; > es_event_screensharing_attach_t *_Nonnull screensharing_attach; > es_event_screensharing_detach_t *_Nonnull screensharing_detach; > es_event_openssh_login_t *_Nonnull openssh_login; > es_event_openssh_logout_t *_Nonnull openssh_logout; > es_event_login_login_t *_Nonnull login_login; > es_event_login_logout_t *_Nonnull login_logout; > es_event_btm_launch_item_add_t *_Nonnull btm_launch_item_add; > es_event_btm_launch_item_remove_t *_Nonnull btm_launch_item_remove; > es_event_profile_add_t *_Nonnull profile_add; > es_event_profile_remove_t *_Nonnull profile_remove; > es_event_su_t *_Nonnull su; > es_event_authorization_petition_t *_Nonnull authorization_petition; > es_event_authorization_judgement_t *_Nonnull authorization_judgement; > es_event_sudo_t *_Nonnull sudo; > es_event_od_group_add_t *_Nonnull od_group_add; > es_event_od_group_remove_t *_Nonnull od_group_remove; > es_event_od_group_set_t *_Nonnull od_group_set; > es_event_od_modify_password_t *_Nonnull od_modify_password; > es_event_od_disable_user_t *_Nonnull od_disable_user; > es_event_od_enable_user_t *_Nonnull od_enable_user; > es_event_od_attribute_value_add_t *_Nonnull od_attribute_value_add; > es_event_od_attribute_value_remove_t *_Nonnull od_attribute_value_remove; > es_event_od_attribute_set_t *_Nonnull od_attribute_set; > es_event_od_create_user_t *_Nonnull od_create_user; > es_event_od_create_group_t *_Nonnull od_create_group; > es_event_od_delete_user_t *_Nonnull od_delete_user; > es_event_od_delete_group_t *_Nonnull od_delete_group; > es_event_xpc_connect_t *_Nonnull xpc_connect; > es_event_gatekeeper_user_override_t *_Nonnull gatekeeper_user_override; diff --color Documents/foss/MacOSX-SDKs/MacOSX14.5.sdk/usr/include/EndpointSecurity/ESTypes.h /Users/roblabla/Downloads/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/ESTypes.h 74a75,86 > * @brief This enum describes the type of plugin types in sudo > */ > typedef enum { > ES_SUDO_PLUGIN_TYPE_UNKNOWN, > ES_SUDO_PLUGIN_TYPE_FRONT_END, > ES_SUDO_PLUGIN_TYPE_POLICY, > ES_SUDO_PLUGIN_TYPE_IO, > ES_SUDO_PLUGIN_TYPE_AUDIT, > ES_SUDO_PLUGIN_TYPE_APPROVAL, > } es_sudo_plugin_type_t; > > /** 221,240c240,260 < , ES_EVENT_TYPE_NOTIFY_PROFILE_ADD < , ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE < , ES_EVENT_TYPE_NOTIFY_SU < , ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITION < , ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENT < , ES_EVENT_TYPE_NOTIFY_SUDO < , ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD < , ES_EVENT_TYPE_NOTIFY_OD_GROUP_REMOVE < , ES_EVENT_TYPE_NOTIFY_OD_GROUP_SET < , ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD < , ES_EVENT_TYPE_NOTIFY_OD_DISABLE_USER < , ES_EVENT_TYPE_NOTIFY_OD_ENABLE_USER < , ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD < , ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_REMOVE < , ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_SET < , ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER < , ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP < , ES_EVENT_TYPE_NOTIFY_OD_DELETE_USER < , ES_EVENT_TYPE_NOTIFY_OD_DELETE_GROUP < , ES_EVENT_TYPE_NOTIFY_XPC_CONNECT --- > ES_EVENT_TYPE_NOTIFY_PROFILE_ADD, > ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE, > ES_EVENT_TYPE_NOTIFY_SU, > ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITION, > ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENT, > ES_EVENT_TYPE_NOTIFY_SUDO, > ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD, > ES_EVENT_TYPE_NOTIFY_OD_GROUP_REMOVE, > ES_EVENT_TYPE_NOTIFY_OD_GROUP_SET, > ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD, > ES_EVENT_TYPE_NOTIFY_OD_DISABLE_USER, > ES_EVENT_TYPE_NOTIFY_OD_ENABLE_USER, > ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD, > ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_REMOVE, > ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_SET, > ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER, > ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP, > ES_EVENT_TYPE_NOTIFY_OD_DELETE_USER, > ES_EVENT_TYPE_NOTIFY_OD_DELETE_GROUP, > ES_EVENT_TYPE_NOTIFY_XPC_CONNECT, > ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE, 484a505,511 > > typedef enum { > /// Signals that file is a string of a path since file could not be resolved on disk at time of event submission > ES_GATEKEEPER_USER_OVERRIDE_FILE_TYPE_PATH, > /// Signals that file is a es_file_t > ES_GATEKEEPER_USER_OVERRIDE_FILE_TYPE_FILE > } es_gatekeeper_user_override_file_type_t; diff --color Documents/foss/MacOSX-SDKs/MacOSX14.5.sdk/usr/include/EndpointSecurity/EndpointSecurity.h /Users/roblabla/Downloads/Xcode-beta.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX.sdk/usr/include/EndpointSecurity/EndpointSecurity.h 7a8 > // Include types first 8a10 > 9a12 > ```
roblabla commented 5 months ago

From the looks of it, this includes:

This last bit is annoying, as it will require making breaking changes in the endpoint-sec/endpoint-sec-sys API on a couple functions. They're essentially breaking changes that Apple introduced in macOS 15.

roblabla commented 2 months ago

The final MacOS 15 SDK just got released.

Here's the final diff between 14.5 and 15.0 SDK ``` diff --color MacOSX14.5.sdk/usr/include/EndpointSecurity/ESClient.h MacOSX15.0.sdk/usr/include/EndpointSecurity/ESClient.h 35,37c35,38 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_subscribe(es_client_t * _Nonnull client, const es_event_type_t * _Nonnull events, uint32_t event_count); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_subscribe(es_client_t *_Nonnull client, const es_event_type_t *_Nonnull events, uint32_t event_count); 48,50c49,52 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unsubscribe(es_client_t * _Nonnull client, const es_event_type_t * _Nonnull events, uint32_t event_count); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_unsubscribe(es_client_t *_Nonnull client, const es_event_type_t *_Nonnull events, uint32_t event_count); 58,60c60,61 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unsubscribe_all(es_client_t * _Nonnull client); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) es_return_t es_unsubscribe_all(es_client_t *_Nonnull client); 71c72,74 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) 73,74c76 < es_subscriptions(es_client_t * _Nonnull client, size_t * _Nonnull count, < es_event_type_t * _Nonnull * _Nullable subscriptions); --- > es_subscriptions(es_client_t *_Nonnull client, size_t *_Nonnull count, es_event_type_t *_Nonnull *_Nullable subscriptions); 88c90,91 < * @brief Some events must be responded to with `es_respond_flags_result`. Responding to flags events with this function will fail. --- > * @brief Some events must be responded to with `es_respond_flags_result`. Responding to flags events with this function will > * fail. 91c94,96 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) 93c98 < es_respond_auth_result(es_client_t * _Nonnull client, const es_message_t * _Nonnull message, es_auth_result_t result, bool cache); --- > es_respond_auth_result(es_client_t *_Nonnull client, const es_message_t *_Nonnull message, es_auth_result_t result, bool cache); 121,123c126,131 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_respond_result_t < es_respond_flags_result(es_client_t * _Nonnull client, const es_message_t * _Nonnull message, uint32_t authorized_flags, bool cache); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_respond_result_t es_respond_flags_result( > es_client_t *_Nonnull client, const es_message_t *_Nonnull message, uint32_t authorized_flags, bool cache > ); 136,138c144,147 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_mute_process(es_client_t * _Nonnull client, const audit_token_t * _Nonnull audit_token); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_mute_process(es_client_t *_Nonnull client, const audit_token_t *_Nonnull audit_token); 153,155c162,170 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_mute_process_events(es_client_t * _Nonnull client, const audit_token_t * _Nonnull audit_token, const es_event_type_t * _Nonnull events, size_t event_count); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_mute_process_events( > es_client_t *_Nonnull client, > const audit_token_t *_Nonnull audit_token, > const es_event_type_t *_Nonnull events, > size_t event_count > ); 168,170c183,186 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unmute_process(es_client_t * _Nonnull client, const audit_token_t *_Nonnull audit_token); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_unmute_process(es_client_t *_Nonnull client, const audit_token_t *_Nonnull audit_token); 185,187c201,209 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unmute_process_events(es_client_t * _Nonnull client, const audit_token_t * _Nonnull audit_token, const es_event_type_t * _Nonnull events, size_t event_count); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_unmute_process_events( > es_client_t *_Nonnull client, > const audit_token_t *_Nonnull audit_token, > const es_event_type_t *_Nonnull events, > size_t event_count > ); 206c228 < es_muted_processes(es_client_t * _Nonnull client, size_t * _Nonnull count, audit_token_t * _Nonnull * _Nullable audit_tokens); --- > es_muted_processes(es_client_t *_Nonnull client, size_t *_Nonnull count, audit_token_t *_Nonnull *_Nullable audit_tokens); 221,223c243,246 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_muted_processes_events(es_client_t * _Nonnull client, es_muted_processes_t * _Nullable * _Nonnull muted_processes); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_muted_processes_events(es_client_t *_Nonnull client, es_muted_processes_t *_Nullable *_Nonnull muted_processes); 233,235c256,258 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < void < es_release_muted_processes(es_muted_processes_t * _Nonnull muted_processes); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) 236a260,261 > void es_release_muted_processes(es_muted_processes_t *_Nonnull muted_processes); > 256,262c281,286 < * @discussion When using the path types ES_MUTE_PATH_TYPE_TARGET_PREFIX and ES_MUTE_PATH_TYPE_TARGET_LITERAL Not all events are supported. < * Furthermore the interpretation of target path is contextual. < * For events with more than one target path (such as exchangedata) the behavior depends on the mute inversion state < * Under normal muting the event is suppressed only if ALL paths are muted < * When target path muting is inverted the event is selected if ANY target path is muted < * For example a rename will be suppressed if and only if both the source path and destination path are muted. < * Supported events are listed below. For each event the target path is defined as: --- > * @discussion When using the path types ES_MUTE_PATH_TYPE_TARGET_PREFIX and ES_MUTE_PATH_TYPE_TARGET_LITERAL Not all events are > * supported. Furthermore the interpretation of target path is contextual. For events with more than one target path (such as > * exchangedata) the behavior depends on the mute inversion state Under normal muting the event is suppressed only if ALL paths > * are muted When target path muting is inverted the event is selected if ANY target path is muted For example a rename will be > * suppressed if and only if both the source path and destination path are muted. Supported events are listed below. For each > * event the target path is defined as: 310,312c334,337 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_mute_path(es_client_t * _Nonnull client, const char * _Nonnull path, es_mute_path_type_t type); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_mute_path(es_client_t *_Nonnull client, const char *_Nonnull path, es_mute_path_type_t type); 333,335c358,367 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_mute_path_events(es_client_t * _Nonnull client, const char * _Nonnull path, es_mute_path_type_t type, const es_event_type_t * _Nonnull events, size_t event_count); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_mute_path_events( > es_client_t *_Nonnull client, > const char *_Nonnull path, > es_mute_path_type_t type, > const es_event_type_t *_Nonnull events, > size_t event_count > ); 349,350c381 < es_return_t < es_mute_path_prefix(es_client_t * _Nonnull client, const char * _Nonnull path_prefix); --- > es_return_t es_mute_path_prefix(es_client_t *_Nonnull client, const char *_Nonnull path_prefix); 367,368c398 < es_return_t < es_mute_path_literal(es_client_t * _Nonnull client, const char * _Nonnull path_literal); --- > es_return_t es_mute_path_literal(es_client_t *_Nonnull client, const char *_Nonnull path_literal); 378,380c408,409 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unmute_all_paths(es_client_t * _Nonnull client); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) es_return_t es_unmute_all_paths(es_client_t *_Nonnull client); 388,390c417,418 < API_AVAILABLE(macos(13.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unmute_all_target_paths(es_client_t * _Nonnull client); --- > API_AVAILABLE(macos(13.0)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) es_return_t es_unmute_all_target_paths(es_client_t *_Nonnull client); 411,413c439,442 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unmute_path(es_client_t * _Nonnull client, const char * _Nonnull path, es_mute_path_type_t type); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_unmute_path(es_client_t *_Nonnull client, const char *_Nonnull path, es_mute_path_type_t type); 429,432c458,467 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_unmute_path_events(es_client_t * _Nonnull client, const char * _Nonnull path, es_mute_path_type_t type, < const es_event_type_t * _Nonnull events, size_t event_count); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_unmute_path_events( > es_client_t *_Nonnull client, > const char *_Nonnull path, > es_mute_path_type_t type, > const es_event_type_t *_Nonnull events, > size_t event_count > ); 446,448c481,484 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_muted_paths_events(es_client_t * _Nonnull client, es_muted_paths_t * _Nonnull * _Nullable muted_paths); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_return_t es_muted_paths_events(es_client_t *_Nonnull client, es_muted_paths_t *_Nonnull *_Nullable muted_paths); 458,460c494,495 < API_AVAILABLE(macos(12.0)) API_UNAVAILABLE(ios, tvos, watchos) < void < es_release_muted_paths(es_muted_paths_t * _Nonnull muted_paths); --- > API_AVAILABLE(macos(12.0)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) void es_release_muted_paths(es_muted_paths_t *_Nonnull muted_paths); 547,552c582,586 < * Creating a new client and calling `es_invert_muting(c, ES_MUTE_INVERSION_TYPE_PATH)` will result in the default mute set being selected rather than muted. < * In most cases this is unintended. < * Consider calling `es_unmute_all_paths` before inverting process path muting. < * Consider calling `es_unmute_all_target_paths` before inverting target path muting. < * Make sure the client has no auth subscriptions before doing so. < * If desired the default mute set can be saved using `es_muted_paths_events` and then restored after inverting again. --- > * Creating a new client and calling `es_invert_muting(c, ES_MUTE_INVERSION_TYPE_PATH)` will result in the default mute set being > * selected rather than muted. In most cases this is unintended. Consider calling `es_unmute_all_paths` before inverting process > * path muting. Consider calling `es_unmute_all_target_paths` before inverting target path muting. Make sure the client has no > * auth subscriptions before doing so. If desired the default mute set can be saved using `es_muted_paths_events` and then > * restored after inverting again. 556,558c590,592 < API_AVAILABLE(macos(13.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_invert_muting(es_client_t * _Nonnull client, es_mute_inversion_type_t mute_type); --- > API_AVAILABLE(macos(13.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) es_return_t es_invert_muting(es_client_t *_Nonnull client, es_mute_inversion_type_t mute_type); 569,571c603,606 < API_AVAILABLE(macos(13.0)) API_UNAVAILABLE(ios, tvos, watchos) < es_mute_inverted_return_t < es_muting_inverted(es_client_t * _Nonnull client, es_mute_inversion_type_t mute_type); --- > API_AVAILABLE(macos(13.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_mute_inverted_return_t es_muting_inverted(es_client_t *_Nonnull client, es_mute_inversion_type_t mute_type); 582,584c617,619 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_clear_cache_result_t < es_clear_cache(es_client_t * _Nonnull client); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) es_clear_cache_result_t es_clear_cache(es_client_t *_Nonnull client); 591c626 < typedef void (^es_handler_block_t)(es_client_t * _Nonnull, const es_message_t * _Nonnull); --- > typedef void (^es_handler_block_t)(es_client_t *_Nonnull, const es_message_t *_Nonnull); 635,637c670,673 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_new_client_result_t < es_new_client(es_client_t * _Nullable * _Nonnull client, es_handler_block_t _Nonnull handler); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) > es_new_client_result_t es_new_client(es_client_t *_Nullable *_Nonnull client, es_handler_block_t _Nonnull handler); 647,649c683,684 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_return_t < es_delete_client(es_client_t * _Nullable client); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) es_return_t es_delete_client(es_client_t *_Nullable client); diff --color MacOSX14.5.sdk/usr/include/EndpointSecurity/ESMessage.h MacOSX15.0.sdk/usr/include/EndpointSecurity/ESMessage.h 11a12,13 > #include > #include 16,17d17 < #include < #include 20c20 < #error This header requires __DARWIN_64_BIT_INO_T --- > #error This header requires __DARWIN_64_BIT_INO_T 27c27 < --- > 35c35,36 < * ES still guarantees that if an event was not emitted *by that binary or framework* then it did not happen, but this is not quite the same guarantee. --- > * ES still guarantees that if an event was not emitted *by that binary or framework* then it did not happen, but this is not > * quite the same guarantee. 38,41c39,42 < * This event is created by the `su` binary first shipped in macOS 14.0, but it's entirely possible for a user to install (or compile) a different `su`! < * ES only guarantees that the platform binary shipped with macOS emits `es_event_su_t` events. < * As such `es_event_su_t` does not provide the same security guarantee that `es_event_setuid_t` does. < * --- > * This event is created by the `su` binary first shipped in macOS 14.0, but it's entirely possible for a user to install (or > * compile) a different `su`! ES only guarantees that the platform binary shipped with macOS emits `es_event_su_t` events. As such > * `es_event_su_t` does not provide the same security guarantee that `es_event_setuid_t` does. > * 50c51 < * --- > * 89a91 > * ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE 102c104,105 < * @discussion For files with a link count greater than 1, the absolute path given may not be the only absolute path that exists, and which hard link the emitted path points to is undefined. --- > * @discussion For files with a link count greater than 1, the absolute path given may not be the only absolute path that exists, > * and which hard link the emitted path points to is undefined. 104c107,108 < * Overlong paths are truncated at a maximum length that currently is 16K, though that number is not considered API and may change at any time. --- > * Overlong paths are truncated at a maximum length that currently is 16K, though that number is not considered API and may change > * at any time. 196c200 < uint8_t cdhash[20]; --- > es_cdhash_t cdhash; 199,201c203,205 < es_file_t * _Nonnull executable; < es_file_t * _Nullable tty; /* field available only if message version >= 2 */ < struct timeval start_time; /* field available only if message version >= 3 */ --- > es_file_t *_Nonnull executable; > es_file_t *_Nullable tty; /* field available only if message version >= 2 */ > struct timeval start_time; /* field available only if message version >= 3 */ 203c207 < audit_token_t parent_audit_token; /* field available only if message version >= 4 */ --- > audit_token_t parent_audit_token; /* field available only if message version >= 4 */ 206d209 < 272d274 < 274,275c276,277 < ES_PROFILE_SOURCE_MANAGED, < ES_PROFILE_SOURCE_INSTALL, --- > ES_PROFILE_SOURCE_MANAGED, > ES_PROFILE_SOURCE_INSTALL, 289,294c291,296 < es_string_token_t identifier; < es_string_token_t uuid; < es_profile_source_t install_source; < es_string_token_t organization; < es_string_token_t display_name; < es_string_token_t scope; --- > es_string_token_t identifier; > es_string_token_t uuid; > es_profile_source_t install_source; > es_string_token_t organization; > es_string_token_t display_name; > es_string_token_t scope; 354c356 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 359,362c361,364 < es_file_t * _Nullable script; /* field available only if message version >= 2 */ < es_file_t * _Nonnull cwd; /* field available only if message version >= 3 */ < int last_fd; /* field available only if message version >= 4 */ < cpu_type_t image_cputype; /* field available only if message version >= 6 */ --- > es_file_t *_Nullable script; /* field available only if message version >= 2 */ > es_file_t *_Nonnull cwd; /* field available only if message version >= 3 */ > int last_fd; /* field available only if message version >= 4 */ > cpu_type_t image_cputype; /* field available only if message version >= 6 */ 385c387 < es_file_t * _Nonnull file; --- > es_file_t *_Nonnull file; 394a397,399 > * @note Not all AUTH_KEXTLOAD events can be delivered. > * In rare circumstances when kextloading is blocking all userspace execution it will be automatically allowed. > * NOTIFY_KEXTLOAD will still be (eventually) delivered. 425,426c430,431 < es_file_t * _Nonnull target; < es_file_t * _Nonnull parent_dir; --- > es_file_t *_Nonnull target; > es_file_t *_Nonnull parent_dir; 446c451 < es_file_t * _Nonnull source; --- > es_file_t *_Nonnull source; 460,461c465,466 < es_file_t * _Nonnull source; < es_file_t * _Nonnull target_dir; --- > es_file_t *_Nonnull source; > es_file_t *_Nonnull target_dir; 465a471,480 > // The following types are used in mount events > typedef enum { > ES_MOUNT_DISPOSITION_EXTERNAL, // device is external storage > ES_MOUNT_DISPOSITION_INTERNAL, // device is internal storage > ES_MOUNT_DISPOSITION_NETWORK, // device is a network share > ES_MOUNT_DISPOSITION_VIRTUAL, // device is virtual (dmg or file) > ES_MOUNT_DISPOSITION_NULLFS, // mount uses nullfs, commonly for app translocation > ES_MOUNT_DISPOSITION_UNKNOWN // unable to determine disposition > } es_mount_disposition_t; > 469a485 > * @field disposition The device disposition of the f_mntfromname 474,475c490,492 < struct statfs * _Nonnull statfs; < uint8_t reserved[64]; --- > struct statfs *_Nonnull statfs; > es_mount_disposition_t disposition; /* field available only if message version >= 8 */ > uint8_t reserved[60]; 486c503 < struct statfs * _Nonnull statfs; --- > struct statfs *_Nonnull statfs; 494,495c511,514 < * < * @note This event type does not support caching. --- > * @field remount_flags The provided remount flags > * @field disposition The device disposition of the f_mntfromname > > * @note This event type does not support caching (notify-only). 498,499c517,520 < struct statfs * _Nonnull statfs; < uint8_t reserved[64]; --- > struct statfs *_Nonnull statfs; > uint64_t remount_flags; /* field available only if message version >= 8 */ > es_mount_disposition_t disposition; /* field available only if message version >= 8 */ > uint8_t reserved[52]; 510c531 < es_process_t * _Nonnull child; --- > es_process_t *_Nonnull child; 542c563 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 572c593 < es_file_t * _Nonnull source; --- > es_file_t *_Nonnull source; 575c596 < es_file_t * _Nonnull existing_file; --- > es_file_t *_Nonnull existing_file; 577c598 < es_file_t * _Nonnull dir; --- > es_file_t *_Nonnull dir; 593c614 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 607c628 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 621c642 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 639c660 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 656c677 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 675c696 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 690,692c711,714 < * `was_mapped_writable` only indicates whether the target file was mapped into writable memory or not for the lifetime of the vnode. < * It does not indicate whether the file has actually been written to by way of writing to mapped memory, and it does not indicate whether the file is currently still mapped writable. < * Correct interpretation requires consideration of vnode lifetimes in the kernel. --- > * `was_mapped_writable` only indicates whether the target file was mapped into writable memory or not for the lifetime of the > * vnode. It does not indicate whether the file has actually been written to by way of writing to mapped memory, and it does not > * indicate whether the file is currently still mapped writable. Correct interpretation requires consideration of vnode lifetimes > * in the kernel. 699c721 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 703c725 < bool was_mapped_writable; /* Field available only if message version >= 6. */ --- > bool was_mapped_writable; /* Field available only if message version >= 6. */ 745c767 < es_file_t * _Nonnull existing_file; --- > es_file_t *_Nonnull existing_file; 747c769 < es_file_t * _Nonnull dir; --- > es_file_t *_Nonnull dir; 782,783c804,805 < es_file_t * _Nonnull file1; < es_file_t * _Nonnull file2; --- > es_file_t *_Nonnull file1; > es_file_t *_Nonnull file2; 795c817 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 807c829 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 819c841 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 831c853 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 843c865 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 855c877 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 921c943 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 941c963 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 960c982 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 979c1001 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 994c1016 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1008c1030 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1021c1043 < es_file_t * _Nonnull source; --- > es_file_t *_Nonnull source; 1028a1051 > * @field instigator The process that instigated the materialize operation. 1030a1054 > * @field instigator_token Audit token of the process that instigated this event. 1035,1038c1059,1063 < es_process_t * _Nonnull instigator; < es_file_t * _Nonnull source; < es_file_t * _Nonnull target; < uint8_t reserved[64]; --- > es_process_t *_Nullable instigator; > es_file_t *_Nonnull source; > es_file_t *_Nonnull target; > audit_token_t instigator_token; // Available in msg versions >= 8. > uint8_t reserved[32]; 1050c1075 < es_file_t * _Nonnull source; --- > es_file_t *_Nonnull source; 1065c1090 < es_file_t * _Nonnull source_dir; --- > es_file_t *_Nonnull source_dir; 1080c1105 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1094c1119 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1110,1111c1135,1136 < es_file_t * _Nonnull source; < es_file_t * _Nonnull target_dir; --- > es_file_t *_Nonnull source; > es_file_t *_Nonnull target_dir; 1134,1136c1159,1161 < es_file_t * _Nonnull source; < es_file_t * _Nullable target_file; < es_file_t * _Nonnull target_dir; --- > es_file_t *_Nonnull source; > es_file_t *_Nullable target_file; > es_file_t *_Nonnull target_dir; 1152c1177 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1165c1190 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1180c1205 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1206c1231 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1220c1245 < es_file_t * _Nonnull dir; --- > es_file_t *_Nonnull dir; 1237c1262 < es_file_t * _Nonnull file; --- > es_file_t *_Nonnull file; 1263c1288 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1305c1330 < es_process_t * _Nullable target; --- > es_process_t *_Nullable target; 1321c1346 < es_file_t * _Nonnull target; --- > es_file_t *_Nonnull target; 1345c1370 < es_process_t * _Nullable target; --- > es_process_t *_Nullable target; 1378c1403 < es_process_t * _Nonnull target; --- > es_process_t *_Nonnull target; 1394,1395c1419,1420 < es_process_t * _Nonnull target; < es_thread_state_t * _Nullable thread_state; --- > es_process_t *_Nonnull target; > es_thread_state_t *_Nullable thread_state; 1478,1489c1503,1515 < * @field instigator Process that instigated the authentication < * (XPC caller that asked for authentication). < * @field record_type OD record type against which OD is authenticating. < * Typically "Users", but other record types can auth too. < * @field record_name OD record name against which OD is authenticating. < * For record type "Users", this is the username. < * @field node_name OD node against which OD is authenticating. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated the authentication > * (XPC caller that asked for authentication). > * @field record_type OD record type against which OD is authenticating. > * Typically "Users", but other record types can auth too. > * @field record_name OD record name against which OD is authenticating. > * For record type "Users", this is the username. > * @field node_name OD node against which OD is authenticating. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 1492c1518 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 1496a1523 > audit_token_t instigator_token; // Available in msg versions >= 8. 1507,1514c1534,1542 < * @field instigator Process that instigated the authentication < * (XPC caller that asked for authentication). < * @field touchid_mode TouchID authentication type < * @field has_uid Describes whether or not the uid of the user authenticated is available < * @field uid Union that is valid when `has_uid` is set to `true` < * @field uid.uid uid of user that was authenticated. < * This will be set when `success` is true and `touchid_mode` is of < * verification type i.e. ES_TOUCHID_MODE_VERIFICATION --- > * @field instigator Process that instigated the authentication > * (XPC caller that asked for authentication). > * @field touchid_mode TouchID authentication type > * @field has_uid Describes whether or not the uid of the user authenticated is available > * @field uid Union that is valid when `has_uid` is set to `true` > * @field uid.uid uid of user that was authenticated. > * This will be set when `success` is true and `touchid_mode` is of > * verification type i.e. ES_TOUCHID_MODE_VERIFICATION > * @field instigator_token Audit token of the process that instigated this event. 1517c1545 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 1522a1551 > audit_token_t instigator_token; // Available in msg versions >= 8. 1528,1533c1557,1564 < * @field instigator Process that instigated the authentication < * (XPC caller that asked for authentication). < * @field pubkey_hash Hash of the public key which CryptoTokenKit is authenticating. < * @field token_id Token identifier of the event which CryptoTokenKit is authenticating. < * @field kerberos_principal Optional. This will be available if token is used for GSS PKINIT < * authentication for obtaining a kerberos TGT. NULL in all other cases. --- > * @field instigator Process that instigated the authentication > * (XPC caller that asked for authentication). > * @field pubkey_hash Hash of the public key which CryptoTokenKit is authenticating. > * @field token_id Token identifier of the event which CryptoTokenKit is authenticating. > * @field kerberos_principal Optional. This will be available if token is used for GSS PKINIT > * authentication for obtaining a kerberos TGT. NULL in all other cases. > * @field instigator_token Audit token of the process that instigated this event. > * 1536c1567 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 1539a1571 > audit_token_t instigator_token; // Available in msg versions >= 8. 1579,1582c1611,1614 < es_event_authentication_od_t * _Nonnull od; < es_event_authentication_touchid_t * _Nonnull touchid; < es_event_authentication_token_t * _Nonnull token; < es_event_authentication_auto_unlock_t * _Nonnull auto_unlock; --- > es_event_authentication_od_t *_Nonnull od; > es_event_authentication_touchid_t *_Nonnull touchid; > es_event_authentication_token_t *_Nonnull token; > es_event_authentication_auto_unlock_t *_Nonnull auto_unlock; 1643c1675 < audit_token_t * _Nullable remediated_process_audit_token; --- > audit_token_t *_Nullable remediated_process_audit_token; 1650c1682,1683 < * special meaning to it beyond correlating events pertaining to the same graphical session. Not to be confused with the audit session ID. --- > * special meaning to it beyond correlating events pertaining to the same graphical session. Not to be confused with the audit > * session ID. 1730c1763,1764 < * For example if device A is acting as a NAT gateway for device B, then a screensharing session from B -> A would not emit an event. --- > * For example if device A is acting as a NAT gateway for device B, then a screensharing session from B -> A would not emit an > * event. 1878a1913,1914 > * @field instigator_token Audit token of the process that instigated this event. > * @field app_token Audit token of the app process that registered the item. 1886,1888c1922,1924 < es_process_t * _Nullable instigator; < es_process_t * _Nullable app; < es_btm_launch_item_t * _Nonnull item; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable app; > es_btm_launch_item_t *_Nonnull item; 1889a1926,1927 > audit_token_t *_Nullable instigator_token; // Available in msg versions >= 8. > audit_token_t *_Nullable app_token; // Available in msg versions >= 8. 1900a1939,1940 > * @field instigator_token Audit token of the process that instigated this event. > * @field app_token Audit token of the app process that removed the item. 1905,1907c1945,1949 < es_process_t * _Nullable instigator; < es_process_t * _Nullable app; < es_btm_launch_item_t * _Nonnull item; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable app; > es_btm_launch_item_t *_Nonnull item; > audit_token_t *_Nullable instigator_token; // Available in msg versions >= 8. > audit_token_t *_Nullable app_token; // Available in msg versions >= 8. 1910d1951 < 1917c1958 < * @field from_name The name of the user who initiated the su --- > * @field from_username The username of the user who initiated the su 1922c1963 < * @field argc The length of argv --- > * @field argc The length of argv 1926,1927c1967,1968 < * < * @note This event type does not support caching (notify-only). Should always --- > * > * @note This event type does not support caching (notify-only). Should always 1931c1972 < * --- > * 1945c1986 < es_string_token_t * _Nullable argv; --- > es_string_token_t *_Nullable argv; 1947c1988 < es_string_token_t * _Nullable env; --- > es_string_token_t *_Nullable env; 1951,1962d1991 < * @brief This enum describes the type of plugin types in sudo < */ < typedef enum { < ES_SUDO_PLUGIN_TYPE_UNKNOWN, < ES_SUDO_PLUGIN_TYPE_FRONT_END, < ES_SUDO_PLUGIN_TYPE_POLICY, < ES_SUDO_PLUGIN_TYPE_IO, < ES_SUDO_PLUGIN_TYPE_AUDIT, < ES_SUDO_PLUGIN_TYPE_APPROVAL, < } es_sudo_plugin_type_t; < < /** 1967,1968c1996,1997 < * @field failure_message A reason represented by a string for the failure < * --- > * @field failure_message A reason represented by a string for the failure > * 1971c2000 < es_string_token_t plugin_name; --- > es_string_token_t plugin_name; 1977c2006 < * @brief Notification for a sudo event. --- > * @brief Notification for a sudo event. 1982,1983c2011,2012 < * @field from_uid Optional. The uid of the user who initiated the su < * @field from_name Optional. The name of the user who initiated the su --- > * @field from_uid Optional. The uid of the user who initiated the sudo > * @field from_username Optional. The username of the user who initiated the sudo 1988c2017 < * --- > * 1990c2019 < * --- > * 1994c2023 < es_sudo_reject_info_t* _Nullable reject_info; --- > es_sudo_reject_info_t *_Nullable reject_info; 2018c2047,2048 < * @field item Profile install item. --- > * @field profile Profile install item. > * @field instigator_token Audit token of the process that instigated this event. 2020d2049 < * 2024c2053 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2026c2055,2056 < es_profile_t * _Nonnull profile; --- > es_profile_t *_Nonnull profile; > audit_token_t instigator_token; // Available in msg versions >= 8. 2032c2062,2063 < * @field item Profile being removed. --- > * @field profile Profile being removed. > * @field instigator_token Audit token of the process that instigated this event. 2034d2064 < * 2038,2039c2068,2070 < es_process_t * _Nonnull instigator; < es_profile_t * _Nonnull profile; --- > es_process_t *_Nullable instigator; > es_profile_t *_Nonnull profile; > audit_token_t instigator_token; // Available in msg versions >= 8. 2049a2081,2082 > * @field instigator_token Audit token of the process that submitted the petition. > * @field petitioner_token Audit token of the process that created the petition. 2054,2055c2087,2088 < es_process_t * _Nonnull instigator; < es_process_t * _Nullable petitioner; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable petitioner; 2058c2091,2093 < es_string_token_t * _Nullable rights; --- > es_string_token_t *_Nullable rights; > audit_token_t instigator_token; // Available in msg versions >= 8. > audit_token_t petitioner_token; // Available in msg versions >= 8. 2066c2101 < * The rule class determines how the operating system determines --- > * The rule class determines how the operating system determines 2077c2112 < * @brief Notification that a process had it's right petition judged --- > * @brief Notification that a process had it's right petition judged 2084a2120,2121 > * @field instigator_token Audit token of the process that submitted the petition. > * @field petitioner_token Audit token of the process that created the petition. 2089,2090c2126,2127 < es_process_t * _Nonnull instigator; < es_process_t * _Nullable petitioner; --- > es_process_t *_Nullable instigator; > es_process_t *_Nullable petitioner; 2093c2130,2132 < es_authorization_result_t * _Nullable results; --- > es_authorization_result_t *_Nullable results; > audit_token_t instigator_token; // Available in msg versions >= 8. > audit_token_t petitioner_token; // Available in msg versions >= 8. 2114,2122c2153,2162 < * @field instigator Process that instigated operation (XPC caller). < * @field group_name The group to which the member was added. < * @field member The identity of the member added. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field group_name The group to which the member was added. > * @field member The identity of the member added. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2129c2169 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2132c2172 < es_od_member_id_t * _Nonnull member; --- > es_od_member_id_t *_Nonnull member; 2134a2175 > audit_token_t instigator_token; // Available in msg versions >= 8. 2140,2148c2181,2190 < * @field instigator Process that instigated operation (XPC caller). < * @field group_name The group from which the member was removed. < * @field member The identity of the member removed. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field group_name The group from which the member was removed. > * @field member The identity of the member removed. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2155c2197 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2158c2200 < es_od_member_id_t * _Nonnull member; --- > es_od_member_id_t *_Nonnull member; 2160a2203 > audit_token_t instigator_token; // Available in msg versions >= 8. 2163d2205 < 2170c2212 < * @field member_array A union of pointers. --- > * @field member_array A union of pointers. 2177,2178c2219,2220 < uuid_t * _Nonnull uuids; < es_string_token_t * _Nonnull names; --- > uuid_t *_Nonnull uuids; > es_string_token_t *_Nonnull names; 2185,2195c2227,2238 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field group_name The group for which members were set. < * @field members Array of new members. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field group_name The group for which members were set. > * @field members Array of new members. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2202c2245 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2205c2248 < es_od_member_id_array_t * _Nonnull members; --- > es_od_member_id_array_t *_Nonnull members; 2207a2251 > audit_token_t instigator_token; // Available in msg versions >= 8. 2213,2223c2257,2268 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field account_type The type of the account for which the password was modified. < * @field account_name The name of the account for which the password was modified. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field account_type The type of the account for which the password was modified. > * @field account_name The name of the account for which the password was modified. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2228c2273 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2233a2279 > audit_token_t instigator_token; // Available in msg versions >= 8. 2239,2248c2285,2295 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was disabled. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was disabled. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2253c2300 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2257a2305 > audit_token_t instigator_token; // Available in msg versions >= 8. 2263,2272c2311,2321 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was enabled. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was enabled. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2277c2326 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2281a2331 > audit_token_t instigator_token; // Available in msg versions >= 8. 2287,2299c2337,2350 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field record_type The type of the record to which the attribute value was added. < * @field record_name The name of the record to which the attribute value was added. < * @field attribute_name The name of the attribute to which the value was added. < * @field attribute_value The value that was added. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field record_type The type of the record to which the attribute value was added. > * @field record_name The name of the record to which the attribute value was added. > * @field attribute_name The name of the attribute to which the value was added. > * @field attribute_value The value that was added. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2300a2352 > * 2307c2359 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2314a2367 > audit_token_t instigator_token; // Available in msg versions >= 8. 2320,2332c2373,2386 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field record_type The type of the record from which the attribute value was removed. < * @field record_name The name of the record from which the attribute value was removed. < * @field attribute_name The name of the attribute from which the value was removed. < * @field attribute_value The value that was removed. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field record_type The type of the record from which the attribute value was removed. > * @field record_name The name of the record from which the attribute value was removed. > * @field attribute_name The name of the attribute from which the value was removed. > * @field attribute_value The value that was removed. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2341c2395 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2348a2403 > audit_token_t instigator_token; // Available in msg versions >= 8. 2358c2413 < * @field record_name The name of the record for which the attribute is being set. --- > * @field record_name The name of the record for which the attribute is being set. 2361c2416 < * @field attribute_value_array Array of attribute values that were set. --- > * @field attribute_values Array of attribute values that were set. 2367a2423 > * @field instigator_token Audit token of the process that instigated this event. 2376c2432 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2382c2438 < es_string_token_t * _Nullable attribute_values; --- > es_string_token_t *_Nullable attribute_values; 2384a2441 > audit_token_t instigator_token; // Available in msg versions >= 8. 2390,2399c2447,2457 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was created. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was created. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2404c2462 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2408a2467 > audit_token_t instigator_token; // Available in msg versions >= 8. 2414,2423c2473,2483 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the group that was created. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field group_name The name of the group that was created. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2428c2488 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2432a2493 > audit_token_t instigator_token; // Available in msg versions >= 8. 2438,2447c2499,2509 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the user account that was deleted. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field user_name The name of the user account that was deleted. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2452c2514 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2456a2519 > audit_token_t instigator_token; // Available in msg versions >= 8. 2462,2471c2525,2535 < * @field instigator Process that instigated operation (XPC caller). < * @field error_code 0 indicates the operation succeeded. < * Values inidicating specific failure reasons are defined in odconstants.h. < * @field user_name The name of the group that was deleted. < * @field node_name OD node being mutated. < * Typically one of "/Local/Default", "/LDAPv3/" or < * "/Active Directory/". < * @field db_path Optional. If node_name is "/Local/Default", this is < * the path of the database against which OD is < * authenticating. --- > * @field instigator Process that instigated operation (XPC caller). > * @field error_code 0 indicates the operation succeeded. > * Values inidicating specific failure reasons are defined in odconstants.h. > * @field group_name The name of the group that was deleted. > * @field node_name OD node being mutated. > * Typically one of "/Local/Default", "/LDAPv3/" or > * "/Active Directory/". > * @field db_path Optional. If node_name is "/Local/Default", this is > * the path of the database against which OD is > * authenticating. > * @field instigator_token Audit token of the process that instigated this event. 2472a2537 > * 2476c2541 < es_process_t * _Nonnull instigator; --- > es_process_t *_Nullable instigator; 2480a2546 > audit_token_t instigator_token; // Available in msg versions >= 8. 2496a2563,2586 > * @brief Notification for a gatekeeper_user_override events. > * > * @field file_type The type of the file field. If Endpoint security can't lookup the file at event > * submission it will emit a path instead of an es_file_t > * @field file Describes the target file that is being overridden by the user > * @field sha256 SHA256 of the file. Provided if the filesize is less than 100MB. > * @field signing_info Signing Information, available if the file has been signed. > * > * @note This event type does not support caching (notify-only). > * @note Hashes are calculated in usermode by Gatekeeper. There is no guarantee that any other program including the > * kernel will observe the same file at the reported path. Furthermore there is no guarantee that the CDHash > * is valid or that it matches the containing binary. > */ > typedef struct { > es_gatekeeper_user_override_file_type_t file_type; > union { > es_string_token_t file_path; > es_file_t *_Nonnull file; > } file; > es_sha256_t *_Nullable sha256; > es_signed_file_info_t *_Nullable signing_info; > } es_event_gatekeeper_user_override_t; > > /** 2574,2608c2664,2699 < es_event_authentication_t * _Nonnull authentication; < es_event_xp_malware_detected_t * _Nonnull xp_malware_detected; < es_event_xp_malware_remediated_t * _Nonnull xp_malware_remediated; < es_event_lw_session_login_t * _Nonnull lw_session_login; < es_event_lw_session_logout_t * _Nonnull lw_session_logout; < es_event_lw_session_lock_t * _Nonnull lw_session_lock; < es_event_lw_session_unlock_t * _Nonnull lw_session_unlock; < es_event_screensharing_attach_t * _Nonnull screensharing_attach; < es_event_screensharing_detach_t * _Nonnull screensharing_detach; < es_event_openssh_login_t * _Nonnull openssh_login; < es_event_openssh_logout_t * _Nonnull openssh_logout; < es_event_login_login_t * _Nonnull login_login; < es_event_login_logout_t * _Nonnull login_logout; < es_event_btm_launch_item_add_t * _Nonnull btm_launch_item_add; < es_event_btm_launch_item_remove_t * _Nonnull btm_launch_item_remove; < es_event_profile_add_t * _Nonnull profile_add; < es_event_profile_remove_t * _Nonnull profile_remove; < es_event_su_t * _Nonnull su; < es_event_authorization_petition_t * _Nonnull authorization_petition; < es_event_authorization_judgement_t * _Nonnull authorization_judgement; < es_event_sudo_t * _Nonnull sudo; < es_event_od_group_add_t * _Nonnull od_group_add; < es_event_od_group_remove_t * _Nonnull od_group_remove; < es_event_od_group_set_t * _Nonnull od_group_set; < es_event_od_modify_password_t * _Nonnull od_modify_password; < es_event_od_disable_user_t * _Nonnull od_disable_user; < es_event_od_enable_user_t * _Nonnull od_enable_user; < es_event_od_attribute_value_add_t * _Nonnull od_attribute_value_add; < es_event_od_attribute_value_remove_t * _Nonnull od_attribute_value_remove; < es_event_od_attribute_set_t * _Nonnull od_attribute_set; < es_event_od_create_user_t * _Nonnull od_create_user; < es_event_od_create_group_t * _Nonnull od_create_group; < es_event_od_delete_user_t * _Nonnull od_delete_user; < es_event_od_delete_group_t * _Nonnull od_delete_group; < es_event_xpc_connect_t * _Nonnull xpc_connect; --- > es_event_authentication_t *_Nonnull authentication; > es_event_xp_malware_detected_t *_Nonnull xp_malware_detected; > es_event_xp_malware_remediated_t *_Nonnull xp_malware_remediated; > es_event_lw_session_login_t *_Nonnull lw_session_login; > es_event_lw_session_logout_t *_Nonnull lw_session_logout; > es_event_lw_session_lock_t *_Nonnull lw_session_lock; > es_event_lw_session_unlock_t *_Nonnull lw_session_unlock; > es_event_screensharing_attach_t *_Nonnull screensharing_attach; > es_event_screensharing_detach_t *_Nonnull screensharing_detach; > es_event_openssh_login_t *_Nonnull openssh_login; > es_event_openssh_logout_t *_Nonnull openssh_logout; > es_event_login_login_t *_Nonnull login_login; > es_event_login_logout_t *_Nonnull login_logout; > es_event_btm_launch_item_add_t *_Nonnull btm_launch_item_add; > es_event_btm_launch_item_remove_t *_Nonnull btm_launch_item_remove; > es_event_profile_add_t *_Nonnull profile_add; > es_event_profile_remove_t *_Nonnull profile_remove; > es_event_su_t *_Nonnull su; > es_event_authorization_petition_t *_Nonnull authorization_petition; > es_event_authorization_judgement_t *_Nonnull authorization_judgement; > es_event_sudo_t *_Nonnull sudo; > es_event_od_group_add_t *_Nonnull od_group_add; > es_event_od_group_remove_t *_Nonnull od_group_remove; > es_event_od_group_set_t *_Nonnull od_group_set; > es_event_od_modify_password_t *_Nonnull od_modify_password; > es_event_od_disable_user_t *_Nonnull od_disable_user; > es_event_od_enable_user_t *_Nonnull od_enable_user; > es_event_od_attribute_value_add_t *_Nonnull od_attribute_value_add; > es_event_od_attribute_value_remove_t *_Nonnull od_attribute_value_remove; > es_event_od_attribute_set_t *_Nonnull od_attribute_set; > es_event_od_create_user_t *_Nonnull od_create_user; > es_event_od_create_group_t *_Nonnull od_create_group; > es_event_od_delete_user_t *_Nonnull od_delete_user; > es_event_od_delete_group_t *_Nonnull od_delete_group; > es_event_xpc_connect_t *_Nonnull xpc_connect; > es_event_gatekeeper_user_override_t *_Nonnull gatekeeper_user_override; 2706c2797 < es_process_t * _Nonnull process; --- > es_process_t *_Nonnull process; 2715,2717c2806,2808 < es_thread_t * _Nullable thread; /* field available only if message version >= 4 */ < uint64_t global_seq_num; /* field available only if message version >= 4 */ < uint64_t opaque[]; /* Opaque data that must not be accessed directly */ --- > es_thread_t *_Nullable thread; /* field available only if message version >= 4 */ > uint64_t global_seq_num; /* field available only if message version >= 4 */ > uint64_t opaque[]; /* Opaque data that must not be accessed directly */ 2735,2738c2826,2833 < API_DEPRECATED("Please use es_retain_message to retain a message. Do not use this in conjunction with attempting to copy a message, doing so will result in use-after-free bugs.", macos(10.15, 11.0)) < API_UNAVAILABLE(ios, tvos, watchos) < size_t < es_message_size(const es_message_t * _Nonnull msg); --- > API_DEPRECATED( > "Please use es_retain_message to retain a message. Do not use this in conjunction with attempting to copy a message, doing " > "so will result in use-after-free bugs.", > macos(10.15, 11.0), > ios(18.0, 18.0) > ) > API_UNAVAILABLE(tvos, watchos) > size_t es_message_size(const es_message_t *_Nonnull msg); 2757,2758c2852 < es_message_t * _Nullable < es_copy_message(const es_message_t * _Nonnull msg); --- > es_message_t *_Nullable es_copy_message(const es_message_t *_Nonnull msg); 2770,2771c2864 < void < es_free_message(es_message_t * _Nonnull msg); --- > void es_free_message(es_message_t *_Nonnull msg); 2782,2784c2875,2876 < API_AVAILABLE(macos(11.0)) API_UNAVAILABLE(ios, tvos, watchos) < void < es_retain_message(const es_message_t * _Nonnull msg); --- > API_AVAILABLE(macos(11.0)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) void es_retain_message(const es_message_t *_Nonnull msg); 2792,2794c2884,2885 < API_AVAILABLE(macos(11.0)) API_UNAVAILABLE(ios, tvos, watchos) < void < es_release_message(const es_message_t * _Nonnull msg); --- > API_AVAILABLE(macos(11.0)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) void es_release_message(const es_message_t *_Nonnull msg); 2802,2804c2893,2894 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < uint32_t < es_exec_arg_count(const es_event_exec_t * _Nonnull event); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) uint32_t es_exec_arg_count(const es_event_exec_t *_Nonnull event); 2812,2814c2902,2903 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < uint32_t < es_exec_env_count(const es_event_exec_t * _Nonnull event); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) uint32_t es_exec_env_count(const es_event_exec_t *_Nonnull event); 2822,2824c2911,2912 < API_AVAILABLE(macos(11.0)) API_UNAVAILABLE(ios, tvos, watchos) < uint32_t < es_exec_fd_count(const es_event_exec_t * _Nonnull event); --- > API_AVAILABLE(macos(11.0)) > API_UNAVAILABLE(ios) API_UNAVAILABLE(tvos, watchos) uint32_t es_exec_fd_count(const es_event_exec_t *_Nonnull event); 2835,2837c2923,2925 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_string_token_t < es_exec_arg(const es_event_exec_t * _Nonnull event, uint32_t index); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) es_string_token_t es_exec_arg(const es_event_exec_t *_Nonnull event, uint32_t index); 2848,2850c2936,2938 < API_AVAILABLE(macos(10.15)) API_UNAVAILABLE(ios, tvos, watchos) < es_string_token_t < es_exec_env(const es_event_exec_t * _Nonnull event, uint32_t index); --- > API_AVAILABLE(macos(10.15)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) es_string_token_t es_exec_env(const es_event_exec_t *_Nonnull event, uint32_t index); 2861,2863c2949,2951 < API_AVAILABLE(macos(11.0)) API_UNAVAILABLE(ios, tvos, watchos) < const es_fd_t * _Nonnull < es_exec_fd(const es_event_exec_t * _Nonnull event, uint32_t index); --- > API_AVAILABLE(macos(11.0)) > API_UNAVAILABLE(ios) > API_UNAVAILABLE(tvos, watchos) const es_fd_t *_Nonnull es_exec_fd(const es_event_exec_t *_Nonnull event, uint32_t index); diff --color MacOSX14.5.sdk/usr/include/EndpointSecurity/ESTypes.h MacOSX15.0.sdk/usr/include/EndpointSecurity/ESTypes.h 4,6d3 < #include < #include < #include 7a5,7 > #include > #include > #include 15,16c15,16 < ES_ACTION_TYPE_AUTH < , ES_ACTION_TYPE_NOTIFY --- > ES_ACTION_TYPE_AUTH, > ES_ACTION_TYPE_NOTIFY 20,21c20,21 < ES_SET < , ES_CLEAR --- > ES_SET, > ES_CLEAR 36c36 < ES_PROC_CHECK_TYPE_KERNMSGBUF = 0x4, // deprecated, not generated --- > ES_PROC_CHECK_TYPE_KERNMSGBUF = 0x4, // deprecated, not generated 39c39 < ES_PROC_CHECK_TYPE_TERMINATE = 0x7, // deprecated, not generated --- > ES_PROC_CHECK_TYPE_TERMINATE = 0x7, // deprecated, not generated 42c42 < ES_PROC_CHECK_TYPE_UDATA_INFO = 0xe, // deprecated, not generated --- > ES_PROC_CHECK_TYPE_UDATA_INFO = 0xe, // deprecated, not generated 74a75,86 > * @brief This enum describes the type of plugin types in sudo > */ > typedef enum { > ES_SUDO_PLUGIN_TYPE_UNKNOWN, > ES_SUDO_PLUGIN_TYPE_FRONT_END, > ES_SUDO_PLUGIN_TYPE_POLICY, > ES_SUDO_PLUGIN_TYPE_IO, > ES_SUDO_PLUGIN_TYPE_AUDIT, > ES_SUDO_PLUGIN_TYPE_APPROVAL, > } es_sudo_plugin_type_t; > > /** 87,171c99,185 < // The following events are available beginning in macOS 10.15 < ES_EVENT_TYPE_AUTH_EXEC < , ES_EVENT_TYPE_AUTH_OPEN < , ES_EVENT_TYPE_AUTH_KEXTLOAD < , ES_EVENT_TYPE_AUTH_MMAP < , ES_EVENT_TYPE_AUTH_MPROTECT < , ES_EVENT_TYPE_AUTH_MOUNT < , ES_EVENT_TYPE_AUTH_RENAME < , ES_EVENT_TYPE_AUTH_SIGNAL < , ES_EVENT_TYPE_AUTH_UNLINK < , ES_EVENT_TYPE_NOTIFY_EXEC < , ES_EVENT_TYPE_NOTIFY_OPEN < , ES_EVENT_TYPE_NOTIFY_FORK < , ES_EVENT_TYPE_NOTIFY_CLOSE < , ES_EVENT_TYPE_NOTIFY_CREATE < , ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA < , ES_EVENT_TYPE_NOTIFY_EXIT < , ES_EVENT_TYPE_NOTIFY_GET_TASK < , ES_EVENT_TYPE_NOTIFY_KEXTLOAD < , ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD < , ES_EVENT_TYPE_NOTIFY_LINK < , ES_EVENT_TYPE_NOTIFY_MMAP < , ES_EVENT_TYPE_NOTIFY_MPROTECT < , ES_EVENT_TYPE_NOTIFY_MOUNT < , ES_EVENT_TYPE_NOTIFY_UNMOUNT < , ES_EVENT_TYPE_NOTIFY_IOKIT_OPEN < , ES_EVENT_TYPE_NOTIFY_RENAME < , ES_EVENT_TYPE_NOTIFY_SETATTRLIST < , ES_EVENT_TYPE_NOTIFY_SETEXTATTR < , ES_EVENT_TYPE_NOTIFY_SETFLAGS < , ES_EVENT_TYPE_NOTIFY_SETMODE < , ES_EVENT_TYPE_NOTIFY_SETOWNER < , ES_EVENT_TYPE_NOTIFY_SIGNAL < , ES_EVENT_TYPE_NOTIFY_UNLINK < , ES_EVENT_TYPE_NOTIFY_WRITE < , ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE < , ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE < , ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE < , ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_UPDATE < , ES_EVENT_TYPE_AUTH_READLINK < , ES_EVENT_TYPE_NOTIFY_READLINK < , ES_EVENT_TYPE_AUTH_TRUNCATE < , ES_EVENT_TYPE_NOTIFY_TRUNCATE < , ES_EVENT_TYPE_AUTH_LINK < , ES_EVENT_TYPE_NOTIFY_LOOKUP < , ES_EVENT_TYPE_AUTH_CREATE < , ES_EVENT_TYPE_AUTH_SETATTRLIST < , ES_EVENT_TYPE_AUTH_SETEXTATTR < , ES_EVENT_TYPE_AUTH_SETFLAGS < , ES_EVENT_TYPE_AUTH_SETMODE < , ES_EVENT_TYPE_AUTH_SETOWNER < // The following events are available beginning in macOS 10.15.1 < , ES_EVENT_TYPE_AUTH_CHDIR < , ES_EVENT_TYPE_NOTIFY_CHDIR < , ES_EVENT_TYPE_AUTH_GETATTRLIST < , ES_EVENT_TYPE_NOTIFY_GETATTRLIST < , ES_EVENT_TYPE_NOTIFY_STAT < , ES_EVENT_TYPE_NOTIFY_ACCESS < , ES_EVENT_TYPE_AUTH_CHROOT < , ES_EVENT_TYPE_NOTIFY_CHROOT < , ES_EVENT_TYPE_AUTH_UTIMES < , ES_EVENT_TYPE_NOTIFY_UTIMES < , ES_EVENT_TYPE_AUTH_CLONE < , ES_EVENT_TYPE_NOTIFY_CLONE < , ES_EVENT_TYPE_NOTIFY_FCNTL < , ES_EVENT_TYPE_AUTH_GETEXTATTR < , ES_EVENT_TYPE_NOTIFY_GETEXTATTR < , ES_EVENT_TYPE_AUTH_LISTEXTATTR < , ES_EVENT_TYPE_NOTIFY_LISTEXTATTR < , ES_EVENT_TYPE_AUTH_READDIR < , ES_EVENT_TYPE_NOTIFY_READDIR < , ES_EVENT_TYPE_AUTH_DELETEEXTATTR < , ES_EVENT_TYPE_NOTIFY_DELETEEXTATTR < , ES_EVENT_TYPE_AUTH_FSGETPATH < , ES_EVENT_TYPE_NOTIFY_FSGETPATH < , ES_EVENT_TYPE_NOTIFY_DUP < , ES_EVENT_TYPE_AUTH_SETTIME < , ES_EVENT_TYPE_NOTIFY_SETTIME < , ES_EVENT_TYPE_NOTIFY_UIPC_BIND < , ES_EVENT_TYPE_AUTH_UIPC_BIND < , ES_EVENT_TYPE_NOTIFY_UIPC_CONNECT < , ES_EVENT_TYPE_AUTH_UIPC_CONNECT < , ES_EVENT_TYPE_AUTH_EXCHANGEDATA < , ES_EVENT_TYPE_AUTH_SETACL < , ES_EVENT_TYPE_NOTIFY_SETACL --- > // The following events are available beginning in macOS 10.15 > ES_EVENT_TYPE_AUTH_EXEC, > ES_EVENT_TYPE_AUTH_OPEN, > ES_EVENT_TYPE_AUTH_KEXTLOAD, > ES_EVENT_TYPE_AUTH_MMAP, > ES_EVENT_TYPE_AUTH_MPROTECT, > ES_EVENT_TYPE_AUTH_MOUNT, > ES_EVENT_TYPE_AUTH_RENAME, > ES_EVENT_TYPE_AUTH_SIGNAL, > ES_EVENT_TYPE_AUTH_UNLINK, > ES_EVENT_TYPE_NOTIFY_EXEC, > ES_EVENT_TYPE_NOTIFY_OPEN, > ES_EVENT_TYPE_NOTIFY_FORK, > ES_EVENT_TYPE_NOTIFY_CLOSE, > ES_EVENT_TYPE_NOTIFY_CREATE, > ES_EVENT_TYPE_NOTIFY_EXCHANGEDATA, > ES_EVENT_TYPE_NOTIFY_EXIT, > ES_EVENT_TYPE_NOTIFY_GET_TASK, > ES_EVENT_TYPE_NOTIFY_KEXTLOAD, > ES_EVENT_TYPE_NOTIFY_KEXTUNLOAD, > ES_EVENT_TYPE_NOTIFY_LINK, > ES_EVENT_TYPE_NOTIFY_MMAP, > ES_EVENT_TYPE_NOTIFY_MPROTECT, > ES_EVENT_TYPE_NOTIFY_MOUNT, > ES_EVENT_TYPE_NOTIFY_UNMOUNT, > ES_EVENT_TYPE_NOTIFY_IOKIT_OPEN, > ES_EVENT_TYPE_NOTIFY_RENAME, > ES_EVENT_TYPE_NOTIFY_SETATTRLIST, > ES_EVENT_TYPE_NOTIFY_SETEXTATTR, > ES_EVENT_TYPE_NOTIFY_SETFLAGS, > ES_EVENT_TYPE_NOTIFY_SETMODE, > ES_EVENT_TYPE_NOTIFY_SETOWNER, > ES_EVENT_TYPE_NOTIFY_SIGNAL, > ES_EVENT_TYPE_NOTIFY_UNLINK, > ES_EVENT_TYPE_NOTIFY_WRITE, > ES_EVENT_TYPE_AUTH_FILE_PROVIDER_MATERIALIZE, > ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_MATERIALIZE, > ES_EVENT_TYPE_AUTH_FILE_PROVIDER_UPDATE, > ES_EVENT_TYPE_NOTIFY_FILE_PROVIDER_UPDATE, > ES_EVENT_TYPE_AUTH_READLINK, > ES_EVENT_TYPE_NOTIFY_READLINK, > ES_EVENT_TYPE_AUTH_TRUNCATE, > ES_EVENT_TYPE_NOTIFY_TRUNCATE, > ES_EVENT_TYPE_AUTH_LINK, > ES_EVENT_TYPE_NOTIFY_LOOKUP, > ES_EVENT_TYPE_AUTH_CREATE, > ES_EVENT_TYPE_AUTH_SETATTRLIST, > ES_EVENT_TYPE_AUTH_SETEXTATTR, > ES_EVENT_TYPE_AUTH_SETFLAGS, > ES_EVENT_TYPE_AUTH_SETMODE, > ES_EVENT_TYPE_AUTH_SETOWNER, > > // The following events are available beginning in macOS 10.15.1 > ES_EVENT_TYPE_AUTH_CHDIR, > ES_EVENT_TYPE_NOTIFY_CHDIR, > ES_EVENT_TYPE_AUTH_GETATTRLIST, > ES_EVENT_TYPE_NOTIFY_GETATTRLIST, > ES_EVENT_TYPE_NOTIFY_STAT, > ES_EVENT_TYPE_NOTIFY_ACCESS, > ES_EVENT_TYPE_AUTH_CHROOT, > ES_EVENT_TYPE_NOTIFY_CHROOT, > ES_EVENT_TYPE_AUTH_UTIMES, > ES_EVENT_TYPE_NOTIFY_UTIMES, > ES_EVENT_TYPE_AUTH_CLONE, > ES_EVENT_TYPE_NOTIFY_CLONE, > ES_EVENT_TYPE_NOTIFY_FCNTL, > ES_EVENT_TYPE_AUTH_GETEXTATTR, > ES_EVENT_TYPE_NOTIFY_GETEXTATTR, > ES_EVENT_TYPE_AUTH_LISTEXTATTR, > ES_EVENT_TYPE_NOTIFY_LISTEXTATTR, > ES_EVENT_TYPE_AUTH_READDIR, > ES_EVENT_TYPE_NOTIFY_READDIR, > ES_EVENT_TYPE_AUTH_DELETEEXTATTR, > ES_EVENT_TYPE_NOTIFY_DELETEEXTATTR, > ES_EVENT_TYPE_AUTH_FSGETPATH, > ES_EVENT_TYPE_NOTIFY_FSGETPATH, > ES_EVENT_TYPE_NOTIFY_DUP, > ES_EVENT_TYPE_AUTH_SETTIME, > ES_EVENT_TYPE_NOTIFY_SETTIME, > ES_EVENT_TYPE_NOTIFY_UIPC_BIND, > ES_EVENT_TYPE_AUTH_UIPC_BIND, > ES_EVENT_TYPE_NOTIFY_UIPC_CONNECT, > ES_EVENT_TYPE_AUTH_UIPC_CONNECT, > ES_EVENT_TYPE_AUTH_EXCHANGEDATA, > ES_EVENT_TYPE_AUTH_SETACL, > ES_EVENT_TYPE_NOTIFY_SETACL, > 173,177c187,192 < , ES_EVENT_TYPE_NOTIFY_PTY_GRANT < , ES_EVENT_TYPE_NOTIFY_PTY_CLOSE < , ES_EVENT_TYPE_AUTH_PROC_CHECK < , ES_EVENT_TYPE_NOTIFY_PROC_CHECK < , ES_EVENT_TYPE_AUTH_GET_TASK --- > ES_EVENT_TYPE_NOTIFY_PTY_GRANT, > ES_EVENT_TYPE_NOTIFY_PTY_CLOSE, > ES_EVENT_TYPE_AUTH_PROC_CHECK, > ES_EVENT_TYPE_NOTIFY_PROC_CHECK, > ES_EVENT_TYPE_AUTH_GET_TASK, > 179,190c194,206 < , ES_EVENT_TYPE_AUTH_SEARCHFS < , ES_EVENT_TYPE_NOTIFY_SEARCHFS < , ES_EVENT_TYPE_AUTH_FCNTL < , ES_EVENT_TYPE_AUTH_IOKIT_OPEN < , ES_EVENT_TYPE_AUTH_PROC_SUSPEND_RESUME < , ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME < , ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED < , ES_EVENT_TYPE_NOTIFY_GET_TASK_NAME < , ES_EVENT_TYPE_NOTIFY_TRACE < , ES_EVENT_TYPE_NOTIFY_REMOTE_THREAD_CREATE < , ES_EVENT_TYPE_AUTH_REMOUNT < , ES_EVENT_TYPE_NOTIFY_REMOUNT --- > ES_EVENT_TYPE_AUTH_SEARCHFS, > ES_EVENT_TYPE_NOTIFY_SEARCHFS, > ES_EVENT_TYPE_AUTH_FCNTL, > ES_EVENT_TYPE_AUTH_IOKIT_OPEN, > ES_EVENT_TYPE_AUTH_PROC_SUSPEND_RESUME, > ES_EVENT_TYPE_NOTIFY_PROC_SUSPEND_RESUME, > ES_EVENT_TYPE_NOTIFY_CS_INVALIDATED, > ES_EVENT_TYPE_NOTIFY_GET_TASK_NAME, > ES_EVENT_TYPE_NOTIFY_TRACE, > ES_EVENT_TYPE_NOTIFY_REMOTE_THREAD_CREATE, > ES_EVENT_TYPE_AUTH_REMOUNT, > ES_EVENT_TYPE_NOTIFY_REMOUNT, > 192,194c208,211 < , ES_EVENT_TYPE_AUTH_GET_TASK_READ < , ES_EVENT_TYPE_NOTIFY_GET_TASK_READ < , ES_EVENT_TYPE_NOTIFY_GET_TASK_INSPECT --- > ES_EVENT_TYPE_AUTH_GET_TASK_READ, > ES_EVENT_TYPE_NOTIFY_GET_TASK_READ, > ES_EVENT_TYPE_NOTIFY_GET_TASK_INSPECT, > 196,203c213,221 < , ES_EVENT_TYPE_NOTIFY_SETUID < , ES_EVENT_TYPE_NOTIFY_SETGID < , ES_EVENT_TYPE_NOTIFY_SETEUID < , ES_EVENT_TYPE_NOTIFY_SETEGID < , ES_EVENT_TYPE_NOTIFY_SETREUID < , ES_EVENT_TYPE_NOTIFY_SETREGID < , ES_EVENT_TYPE_AUTH_COPYFILE < , ES_EVENT_TYPE_NOTIFY_COPYFILE --- > ES_EVENT_TYPE_NOTIFY_SETUID, > ES_EVENT_TYPE_NOTIFY_SETGID, > ES_EVENT_TYPE_NOTIFY_SETEUID, > ES_EVENT_TYPE_NOTIFY_SETEGID, > ES_EVENT_TYPE_NOTIFY_SETREUID, > ES_EVENT_TYPE_NOTIFY_SETREGID, > ES_EVENT_TYPE_AUTH_COPYFILE, > ES_EVENT_TYPE_NOTIFY_COPYFILE, > 205,219c223,238 < , ES_EVENT_TYPE_NOTIFY_AUTHENTICATION < , ES_EVENT_TYPE_NOTIFY_XP_MALWARE_DETECTED < , ES_EVENT_TYPE_NOTIFY_XP_MALWARE_REMEDIATED < , ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN < , ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGOUT < , ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOCK < , ES_EVENT_TYPE_NOTIFY_LW_SESSION_UNLOCK < , ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACH < , ES_EVENT_TYPE_NOTIFY_SCREENSHARING_DETACH < , ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGIN < , ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGOUT < , ES_EVENT_TYPE_NOTIFY_LOGIN_LOGIN < , ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUT < , ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD < , ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVE --- > ES_EVENT_TYPE_NOTIFY_AUTHENTICATION, > ES_EVENT_TYPE_NOTIFY_XP_MALWARE_DETECTED, > ES_EVENT_TYPE_NOTIFY_XP_MALWARE_REMEDIATED, > ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGIN, > ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOGOUT, > ES_EVENT_TYPE_NOTIFY_LW_SESSION_LOCK, > ES_EVENT_TYPE_NOTIFY_LW_SESSION_UNLOCK, > ES_EVENT_TYPE_NOTIFY_SCREENSHARING_ATTACH, > ES_EVENT_TYPE_NOTIFY_SCREENSHARING_DETACH, > ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGIN, > ES_EVENT_TYPE_NOTIFY_OPENSSH_LOGOUT, > ES_EVENT_TYPE_NOTIFY_LOGIN_LOGIN, > ES_EVENT_TYPE_NOTIFY_LOGIN_LOGOUT, > ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_ADD, > ES_EVENT_TYPE_NOTIFY_BTM_LAUNCH_ITEM_REMOVE, > 221,240c240,262 < , ES_EVENT_TYPE_NOTIFY_PROFILE_ADD < , ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE < , ES_EVENT_TYPE_NOTIFY_SU < , ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITION < , ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENT < , ES_EVENT_TYPE_NOTIFY_SUDO < , ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD < , ES_EVENT_TYPE_NOTIFY_OD_GROUP_REMOVE < , ES_EVENT_TYPE_NOTIFY_OD_GROUP_SET < , ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD < , ES_EVENT_TYPE_NOTIFY_OD_DISABLE_USER < , ES_EVENT_TYPE_NOTIFY_OD_ENABLE_USER < , ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD < , ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_REMOVE < , ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_SET < , ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER < , ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP < , ES_EVENT_TYPE_NOTIFY_OD_DELETE_USER < , ES_EVENT_TYPE_NOTIFY_OD_DELETE_GROUP < , ES_EVENT_TYPE_NOTIFY_XPC_CONNECT --- > ES_EVENT_TYPE_NOTIFY_PROFILE_ADD, > ES_EVENT_TYPE_NOTIFY_PROFILE_REMOVE, > ES_EVENT_TYPE_NOTIFY_SU, > ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_PETITION, > ES_EVENT_TYPE_NOTIFY_AUTHORIZATION_JUDGEMENT, > ES_EVENT_TYPE_NOTIFY_SUDO, > ES_EVENT_TYPE_NOTIFY_OD_GROUP_ADD, > ES_EVENT_TYPE_NOTIFY_OD_GROUP_REMOVE, > ES_EVENT_TYPE_NOTIFY_OD_GROUP_SET, > ES_EVENT_TYPE_NOTIFY_OD_MODIFY_PASSWORD, > ES_EVENT_TYPE_NOTIFY_OD_DISABLE_USER, > ES_EVENT_TYPE_NOTIFY_OD_ENABLE_USER, > ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_ADD, > ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_VALUE_REMOVE, > ES_EVENT_TYPE_NOTIFY_OD_ATTRIBUTE_SET, > ES_EVENT_TYPE_NOTIFY_OD_CREATE_USER, > ES_EVENT_TYPE_NOTIFY_OD_CREATE_GROUP, > ES_EVENT_TYPE_NOTIFY_OD_DELETE_USER, > ES_EVENT_TYPE_NOTIFY_OD_DELETE_GROUP, > ES_EVENT_TYPE_NOTIFY_XPC_CONNECT, > > // The following events are available beginning in macOS 15.0 > ES_EVENT_TYPE_NOTIFY_GATEKEEPER_USER_OVERRIDE, 245c267 < , ES_EVENT_TYPE_LAST --- > ES_EVENT_TYPE_LAST 253,255c275,277 < ES_AUTH_RESULT_ALLOW < /// The event is not authorized and should be blocked < , ES_AUTH_RESULT_DENY --- > ES_AUTH_RESULT_ALLOW, > /// The event is not authorized and should be blocked > ES_AUTH_RESULT_DENY 263,265c285,287 < ES_RESULT_TYPE_AUTH < /// The result is a flags result < , ES_RESULT_TYPE_FLAGS --- > ES_RESULT_TYPE_AUTH, > /// The result is a flags result > ES_RESULT_TYPE_FLAGS 272,273c294,295 < ES_RETURN_SUCCESS < , ES_RETURN_ERROR --- > ES_RETURN_SUCCESS, > ES_RETURN_ERROR 280,291c302,313 < ES_RESPOND_RESULT_SUCCESS < ///One or more invalid arguments were provided < , ES_RESPOND_RESULT_ERR_INVALID_ARGUMENT < ///Communication with the ES subsystem failed < , ES_RESPOND_RESULT_ERR_INTERNAL < ///The message being responded to could not be found < , ES_RESPOND_RESULT_NOT_FOUND < ///The provided message has been responded to more than once < , ES_RESPOND_RESULT_ERR_DUPLICATE_RESPONSE < ///Either an inappropriate response API was used for the event type (ensure using proper < ///es_respond_auth_result or es_respond_flags_result function) or the event is notification only. < , ES_RESPOND_RESULT_ERR_EVENT_TYPE --- > ES_RESPOND_RESULT_SUCCESS, > /// One or more invalid arguments were provided > ES_RESPOND_RESULT_ERR_INVALID_ARGUMENT, > /// Communication with the ES subsystem failed > ES_RESPOND_RESULT_ERR_INTERNAL, > /// The message being responded to could not be found > ES_RESPOND_RESULT_NOT_FOUND, > /// The provided message has been responded to more than once > ES_RESPOND_RESULT_ERR_DUPLICATE_RESPONSE, > /// Either an inappropriate response API was used for the event type (ensure using proper > /// es_respond_auth_result or es_respond_flags_result function) or the event is notification only. > ES_RESPOND_RESULT_ERR_EVENT_TYPE 298c320 < ES_NEW_CLIENT_RESULT_SUCCESS --- > ES_NEW_CLIENT_RESULT_SUCCESS, 300c322 < , ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT --- > ES_NEW_CLIENT_RESULT_ERR_INVALID_ARGUMENT, 302c324 < , ES_NEW_CLIENT_RESULT_ERR_INTERNAL --- > ES_NEW_CLIENT_RESULT_ERR_INTERNAL, 304c326 < , ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED --- > ES_NEW_CLIENT_RESULT_ERR_NOT_ENTITLED, 306c328 < , ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED --- > ES_NEW_CLIENT_RESULT_ERR_NOT_PERMITTED, 308c330 < , ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED --- > ES_NEW_CLIENT_RESULT_ERR_NOT_PRIVILEGED, 310c332 < , ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS --- > ES_NEW_CLIENT_RESULT_ERR_TOO_MANY_CLIENTS 317,321c339,343 < ES_CLEAR_CACHE_RESULT_SUCCESS < ///Communication with the ES subsystem failed < , ES_CLEAR_CACHE_RESULT_ERR_INTERNAL < ///Rate of calls is too high. Slow down. < , ES_CLEAR_CACHE_RESULT_ERR_THROTTLE --- > ES_CLEAR_CACHE_RESULT_SUCCESS, > /// Communication with the ES subsystem failed > ES_CLEAR_CACHE_RESULT_ERR_INTERNAL, > /// Rate of calls is too high. Slow down. > ES_CLEAR_CACHE_RESULT_ERR_THROTTLE 324a347,366 > * @brief Binary CDHash > * > * The Code Directory Hash (CDHash) is a hash of hashes, covering a macho or an entire application bundle. > * The Code Directory contains the hash of each executable page in the main executable. Only when: > * > * - The subject process has opted into the hardened runtime (CS_HARD/CS_KILL) > * - The subject process is not being debugged > * - The subject process is running > * > * is it guaranteed that the ES provided cdhash value matches the binary observed by the kernel and that the > * pages actually executed have not been modified. > */ > typedef uint8_t es_cdhash_t[20]; > > /** > * @brief Binary Sha256 Digest > */ > typedef uint8_t es_sha256_t[32]; > > /** 330c372 < const uint8_t * data; --- > const uint8_t *data; 339c381 < const char * data; --- > const char *data; 347c389 < ES_MUTE_PATH_TYPE_PREFIX --- > ES_MUTE_PATH_TYPE_PREFIX, 349c391 < , ES_MUTE_PATH_TYPE_LITERAL --- > ES_MUTE_PATH_TYPE_LITERAL, 351c393 < , ES_MUTE_PATH_TYPE_TARGET_PREFIX --- > ES_MUTE_PATH_TYPE_TARGET_PREFIX, 353c395 < , ES_MUTE_PATH_TYPE_TARGET_LITERAL --- > ES_MUTE_PATH_TYPE_TARGET_LITERAL 421,424c463,466 < ES_MUTE_INVERSION_TYPE_PROCESS < , ES_MUTE_INVERSION_TYPE_PATH < , ES_MUTE_INVERSION_TYPE_TARGET_PATH < , ES_MUTE_INVERSION_TYPE_LAST --- > ES_MUTE_INVERSION_TYPE_PROCESS, > ES_MUTE_INVERSION_TYPE_PATH, > ES_MUTE_INVERSION_TYPE_TARGET_PATH, > ES_MUTE_INVERSION_TYPE_LAST 428,433c470,475 < /// The type of muted queried was inverted < ES_MUTE_INVERTED < /// The type of muted queried was not inverted < , ES_MUTE_NOT_INVERTED < /// There was an error querying mute inversion state < , ES_MUTE_INVERTED_ERROR --- > /// The type of muted queried was inverted > ES_MUTE_INVERTED, > /// The type of muted queried was not inverted > ES_MUTE_NOT_INVERTED, > /// There was an error querying mute inversion state > ES_MUTE_INVERTED_ERROR 440,453c482,495 < /// Right is judged on user properties < ES_AUTHORIZATION_RULE_CLASS_USER < /// Right is judged by a tree of sub-rules < , ES_AUTHORIZATION_RULE_CLASS_RULE < /// Right is judged by one or more plugins < , ES_AUTHORIZATION_RULE_CLASS_MECHANISM < /// Right is always granted < , ES_AUTHORIZATION_RULE_CLASS_ALLOW < /// Right is always denied < , ES_AUTHORIZATION_RULE_CLASS_DENY < /// Right is unknown < , ES_AUTHORIZATION_RULE_CLASS_UNKNOWN < /// Right is invalid < , ES_AUTHORIZATION_RULE_CLASS_INVALID --- > /// Right is judged on user properties > ES_AUTHORIZATION_RULE_CLASS_USER, > /// Right is judged by a tree of sub-rules > ES_AUTHORIZATION_RULE_CLASS_RULE, > /// Right is judged by one or more plugins > ES_AUTHORIZATION_RULE_CLASS_MECHANISM, > /// Right is always granted > ES_AUTHORIZATION_RULE_CLASS_ALLOW, > /// Right is always denied > ES_AUTHORIZATION_RULE_CLASS_DENY, > /// Right is unknown > ES_AUTHORIZATION_RULE_CLASS_UNKNOWN, > /// Right is invalid > ES_AUTHORIZATION_RULE_CLASS_INVALID 462c504 < ES_OD_MEMBER_TYPE_USER_NAME --- > ES_OD_MEMBER_TYPE_USER_NAME, 464c506 < , ES_OD_MEMBER_TYPE_USER_UUID --- > ES_OD_MEMBER_TYPE_USER_UUID, 466c508 < , ES_OD_MEMBER_TYPE_GROUP_UUID --- > ES_OD_MEMBER_TYPE_GROUP_UUID 473,474c515,516 < ES_OD_ACCOUNT_TYPE_USER < , ES_OD_ACCOUNT_TYPE_COMPUTER --- > ES_OD_ACCOUNT_TYPE_USER, > ES_OD_ACCOUNT_TYPE_COMPUTER 481,482c523,524 < ES_OD_RECORD_TYPE_USER < , ES_OD_RECORD_TYPE_GROUP --- > ES_OD_RECORD_TYPE_USER, > ES_OD_RECORD_TYPE_GROUP 484a527,548 > > typedef enum { > /// Signals that file is a string of a path since file could not be resolved on disk at time of event submission > ES_GATEKEEPER_USER_OVERRIDE_FILE_TYPE_PATH, > /// Signals that file is a es_file_t > ES_GATEKEEPER_USER_OVERRIDE_FILE_TYPE_FILE > } es_gatekeeper_user_override_file_type_t; > > /* > * Information from a signed file. If the file is a multiarchitecture binary, only the > * signing information for the native host architecture is reported. I.e. the CDHash > * from the AArch64 slice if the host is AArch64. > * > * @field cdhash Code Directory Hash > * @field teamID Team Identifier, if available in the signing information. > * @field signingID Signing Identifier, if available in the signing information. > */ > typedef struct { > es_cdhash_t cdhash; > es_string_token_t signing_id; > es_string_token_t team_id; > } es_signed_file_info_t; diff --color MacOSX14.5.sdk/usr/include/EndpointSecurity/EndpointSecurity.h MacOSX15.0.sdk/usr/include/EndpointSecurity/EndpointSecurity.h 7a8 > // Include types first 8a10 > 9a12 > ```

Not much has changed compared to the beta. We can start implementation work.