endpoint-sec icon indicating copy to clipboard operation
endpoint-sec copied to clipboard
verified publisher icon HarfangLab

Implement macOS 15.0 and 15.4 changes

Open roblabla opened this issue 2 months ago • 0 comments

Fixes #52

This PR adds everything from the macOS 15.0 and 15.4 SDK:

  • A new es_event_gatekeeper_user_override_t event type
  • Made the instigator field in most types nullable, and added a new instigator_token field. To make this backwards compatible, in endpoint-sec, instigator_token will automatically grab it from instigator on old versions of ES.
  • Adds a new disposition field to mount and remount events, telling us the kind of disk backs the mount
  • Adds a new instigator field to signal events to handle delegated signal handling (ergo sending a signal to a process through launchd)
  • Adds a new es_tcc_modify_t event type to get notified of TCC modifications.
  • Some documentation and type refactoring.

Along with this, we also have a commit to greatly simpliy our ffi_wrap_enum macro to limit the amount of stuff we have to write each time we add support for a new SDK version.

roblabla avatar Nov 10 '25 13:11 roblabla