Open ghost opened 9 years ago
stefanesser
commented
9 years ago What Application are you trying to restart? Maybe that Application is in violation with the "missing __PAGEZERO" segment policy. Did the /var/log/system.log have any output from SUIDGuard?
ghost
commented
9 years ago Various. Cisco AnyConnect VPN client, latest public stable of Google Chrome, latest public stable of Word (Office 2011)
Wasn't able to grab the logs as instructions were given to roll-back to achieve usability. Shall replicate and grep the logs.
ghost
commented
9 years ago system.log extract from a 10.9.5 machine. IPv6 is disabled. Lots of networking restrictions (local IPFW/PF) which were in place for some time.
The device was re-opening only Cisco AnyConnect 4.1.x from what I understand. It didn't even load the dock, no mouse/keyboard as mentioned. Fix was to remove the kext.
Aug 19 13:57:32 assettag.local eapolclient[583]: en0 START uid 0 gid 0
Aug 19 13:57:33 assettag kernel[0]: ARPT: 371.930616: MacAuthEvent en0 Auth result for: XX:XX:XX:XX:XX:XX MAC AUTH succeeded
Aug 19 13:57:33 assettag kernel[0]: wlEvent: en0 en0 Link UP virtIf = 0
Aug 19 13:57:33 assettag kernel[0]: AirPort: Link Up on en0
Aug 19 13:57:33 assettag kernel[0]: en0: BSSID changed to XX:XX:XX:XX:XX:XX
Aug 19 13:57:33 assettag.local eapolclient[583]: en0 EAP-TLS: successfully authenticated
Aug 19 13:57:33 assettag kernel[0]: AirPort: RSN handshake complete on en0
Aug 19 13:57:33 assettag.local acvpnagent[111]: A new network interface has been detected.
Aug 19 13:57:33 assettag.local acvpnagent[111]: Function: logInterfaces File: ../../vpn/AgentUtilities/Routing/InterfaceRouteMonitorCommon.cpp Line: 477 IP Address Interface List: 192.168.XX.XX
Aug 19 13:57:33 assettag.local acvpnagent[111]: Function: netInterfaceNoticeCategoryHandler File: ../../vpn/Agent/MainThread.cpp Line: 7510 Network Interface change detected, refreshing physical MAC addresses
Aug 19 13:57:33 assettag.local UserEventAgent[12]: Captive: [CNInfoNetworkActive:1655] en0: SSID ‘XXXXX’ making interface primary (cache indicates network not captive)
Aug 19 13:57:33 assettag.local configd[19]: network changed: DNS* Proxy
Aug 19 13:57:33 assettag.local UserEventAgent[12]: Captive: CNPluginHandler en0: Evaluating
Aug 19 13:57:33 assettag.local UserEventAgent[12]: Captive: en0: Not probing ‘XXXX’ (cache indicates not captive)
Aug 19 13:57:33 assettag.local UserEventAgent[12]: Captive: CNPluginHandler en0: Authenticated
Aug 19 13:57:33 assettag.local configd[19]: network changed: v4(en0!:192.168.XX.XX) DNS+ Proxy+ SMB
Aug 19 13:57:33 assettag.local mDNSResponder[54]: mDNSPlatformSendUDP: sendto(8) failed to send packet on InterfaceID 0000000000000004 en0/4 to 224.0.0.251:5353 skt 8 error -1 errno 13 (Permission denied) 58276578090963 MessageCount is 36
Aug 19 13:57:33 assettag.local identityservicesd[304]: [Warning] Bag loading failed! Error (kCFErrorDomainCFNetwork:306): There was a problem communicating with the web proxy server (HTTP). http://init.ess.apple.com/WebObjects/VCInit.woa/wa/getBag?ix=1
Aug 19 13:57:34 assettag kernel[0]: flow_divert_kctl_disconnect (0): disconnecting group 1
Aug 19 13:57:34 assettag.local mDNSResponder[54]: mDNSPlatformSendUDP: sendto(8) failed to send packet on InterfaceID 0000000000000004 en0/4 to 224.0.0.251:5353 skt 8 error -1 errno 13 (Permission denied) 2461819870 MessageCount is 37
Aug 19 13:57:37 assettag.local sandboxd[136] ([174]): ntpd(174) deny file-read-data /private/var/run/resolv.conf
Aug 19 13:57:38 --- last message repeated 1 time ---
Aug 19 13:57:38 assettag.local mDNSResponder[54]: mDNSPlatformSendUDP: sendto(8) failed to send packet on InterfaceID 0000000000000004 en0/4 to 224.0.0.251:5353 skt 8 error -1 errno 13 (Permission denied) 58276578095050 MessageCount is 38
Aug 19 13:57:38 assettag.local acvpnagent[111]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.
Aug 19 13:57:38 assettag.local acvpnagent[111]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED
Aug 19 13:57:38 assettag.local acvpnagent[111]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED
Aug 19 13:57:38 assettag.local acvpnagent[111]: The client's public address is now set to 192.168.XX.XX
Aug 19 13:57:38 assettag.local acvpnagent[111]: Function: netInterfaceNoticeCategoryHandler File: ../../vpn/Agent/MainThread.cpp Line: 7510 Network Interface change detected, refreshing physical MAC addresses
Aug 19 13:57:38 assettag.local acvpnagent[111]: Function: logProbeFailure File: ../../vpn/Agent/NetEnvironment.cpp Line: 1417 The HTTPS probe to 80.194.77.105 resulted in a redirect.
Aug 19 13:57:39 assettag.local acvpnagent[111]: Function: analyzeHttpResponse File: ../../vpn/Agent/NetEnvironment.cpp Line: 1612 SG (80.194.77.105) contacted
Aug 19 13:57:39 assettag.local acvpnagent[111]: Current network state: Secure Gateway accessible
Aug 19 13:57:39 assettag.local acvpnui[326]: VPN state: Disconnected Network state: Network Accessible Network control state: Network Access: Available Network type: Undefined
Aug 19 13:57:39 assettag.local acvpnui[326]: Message type information sent to the user:
Aug 19 13:57:39 assettag.local acvpnui[326]: Function: ClosePopup File: ../../vpn/ApiShim/ApiShim.cpp Line: 1983 No popup found of the given ID
Aug 19 13:57:39 assettag.local acvpnagent[111]: Function: GetPrimaryInterfaceIndex File: ../../vpn/Common/Utility/NetInterface_unix.cpp Line: 422 Unable to get global IPv6 information from system configuration.
Aug 19 13:57:39 assettag.local acvpnagent[111]: Function: determinePublicAddrCandidateFromDefRoute File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1769 Invoked Function: CHostConfigMgr::FindDefaultRouteInterface Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED
Aug 19 13:57:39 assettag.local acvpnagent[111]: Function: updatePotentialPublicAddresses File: ../../vpn/AgentUtilities/HostConfigMgr.cpp Line: 1914 Invoked Function: CHostConfigMgr::determinePublicAddrCandidateFromDefRoute Return Code: -24117215 (0xFE900021) Description: ROUTETABLE_ERROR_GETBESTROUTE_FAILED
Aug 19 13:57:40 assettag com.apple.launchd.peruser.337009[185] (Something.LaunchDaemon.Item.Irrelevant): Throttling respawn: Will start in 4 seconds
Aug 19 13:57:47 assettag.local mDNSResponder[54]: mDNSPlatformSendUDP: sendto(8) failed to send packet on InterfaceID 0000000000000004 en0/4 to 224.0.0.251:5353 skt 8 error -1 errno 13 (Permission denied) 6756799311 MessageCount is 39Oh I see. You are using 10.9.x - then it is no wonder that SUIDGuard does not work or crash. The installer that we ship does only work on 10.10 for a reason, because 10.10 is the only official supported one. 10.9 is incompatible to SUIDGuard and should cause kernel panics if you try to use it. The mac framework hooks in 10.9 lack the features required for the DYLD_ protection.
ghost
commented
9 years ago The device logs I could get are 10.9.5, but this happens on 10.10.x too just waiting for an EUD to come in so I can get the 1st line chaps at the client to pull the logs off.
But OK, understood about it not patching 10.9.5. I missed that point for SUIDGuard.
Seeing an oddity in 10.9.5/10.10.x with 1.0.6.
If ~/Library/Preferences/com.apple.loginwindow.* dictates an application should be re-opened (not confused with SysPref>Users>User>LoginItems, which will open an app, but doesn't care about its saved-state) after restart, then that app loading will crash the entire system (hard, no mouse/keyboard - hard reset required).
Clearing ~/Library/Preferences/com.apple.loginwindow.* and ~/Library/Saved\ Application\ State after kext installation, but prior to restart, also doesn't work - as opening an app to resume it, still crashes it out.
Amused that the app state is persistent beyond ~/Library/Saved\ Application\ State and also that the kext is doing this (yes, booting from recovery or a bootable USB and then removing the kext and going back into the user's env, works just fine).