قالب وردپرس درنا توس
Home / Apple / plist – launchd: Confusion about semantics of bootstrap and bootout etc. after reading manual pages

plist – launchd: Confusion about semantics of bootstrap and bootout etc. after reading manual pages



LaunchAgents are basically the same as LaunchDaemons, except that:

  • LaunchAgents runs only after the user logs in, the process runs on the logged UID (user ID) with the logged user privileges. Process can interact with the logged in user via GUI.

  • LaunchDaemons runs at start time, before the GUI is up, below the progress bar on the startup screen. It runs as root, there is no need to have any logged in user, run in clean background (like windows system services, or Linux rc.d daemons), it cannot interact with any users on GUI. [This is basically for system services, but you can have your own service] (personally I have a launchDaemon that downloads and updates my / etc / hosts file that blocks some malicious URLs, it's a bash script I created as a service)

/ Library / LaunchAgents / ̵

1; (For all users) [loading all users log in]

~ / Library / LaunchAgents / – (for a SPECIFIC user) [load after he/she logs in]


To load means "run the service", you load it into memory. But it may not run exactly at load time, for example, if the internal plist setting specifies a timer to run, after X hours.

For example:
I create my custom daemon /Library/LaunchDaemons/local.updateHosts.plist

I want to load it:

sudo launchctl load /Library/LaunchDaemons/local.updateHosts.plist 12719459017 ; Upload & # 39; must point to path / to / file.plist

** you may need to kick start it after loading, this way it will be run, completed and wait for the next execution time (if it is a timed service like mine) *

Since it's on LaunchDaemon, it's a system service.

[a brief pause here about launchctl]

Because to continue, we need to understand the MacOS process execution architecture: [19659014] MacOS Bootstraps domains, sessions and namespace

In addition to BSD process contexts [ UID ] has MacOS Mach bootstrap process relationships, called namespaces.

A namespace is like a "place" or grouping, where different process runs.

The bootstrap namespaces are hierarchically arranged. There is a System global namespace, below which we have a per user namespace (not GUI), and below that we have a per session GUI namespace [created by the WindowServer when the user logs in via GUI].

Hierarchically, each lower level can access all of its upper level namespace services (their parent services processes)

  ----
System_Namespace
Per-User_Namespace
Per-Session_Namespace (GUI WindowServer)
----

Technically, the GUI user interface is per session
called & # 39; Aqua & # 39; session of Apple API documents.

The hierarchy above shows the system domain, user domain, and session domain (belonging to the user, each user has their own)

An expanded view with 2 logged users is below:

``

  // System_Namespace [System]
// |
// ------ PerUSER_Namespace [Background] [user 501]
  // | |
// | ----- PerSESSION_Namespace [Aqua] (MacOS GUI WindowServer) [user 501]
// |
// |
// ------ PerUSER_Namespace [Background] [user 502]
  // |
// ----- PerSESSION_Namespace [Aqua] (MacOS GUI WindowServer) [user 502]
// ----
//

``

This is exactly the root of MacOS security architecture, called Mach Layer, which works in conjunction with BSD Layer (which handles user file permissions and other linux / bsd / unix permissions).

MacOS has two distinct security mechanisms integrated and work together: Unix + Mach security mechanisms.


Continuing with launch, when creating a daemon / service you have to choose where to run it, which domain and which context.

Let's first print system domain services, this will show all launch demons, loaded or not, enabled and disabled one.

sudo launchctl print system /

Now we can print the user domain services: (considering userid 501, you can find other users ID numbers with the command: id username

sudo launchctl print user / 501

Note: Catalina also accepts syntax: sudo launchctl print user / admin <- username

You can also ask for a PID, and Check under which domain and namespace it runs:

sudo launchctl print pid / 784 (considering 784 is PID for Finder for example)

> $ sudo launchctl print pid / 758
com.apple.xpc.launchd.domain.pid.Finder.758 = {
type = process
handle = 758
active number = 91
number on request = 1
service count = 90
number of active services = 2
activity ratio = 0.02
originator = / System / Library / CoreServices / Finder.app
creator = Finder.758
creator euid = 503
uniquid = 758
external activation counts = 0
security context = {
uid = 503
asid = 100008
}

retrieval time = 20 ms
port of death = 0x52a63

ongoing bootstraps = 0
pending requests = 0
pending requests = {
}
subdomains = {
}
pending attachment = {
}

task-specific ports = {
0x3fc73 4 bootstrap com.apple.xpc.launchd.user.domain.503.100008.Aqua
0x15f03 9 access com.apple.taskgated
}

Under Security Context:


com.apple.xpc.launchd.domain.pid.Finder.758
com.apple.xpc.launchd.user.domain.503.100008.Aqua

Resources:

  • Finder, having PID 758
  • created by launchd,
  • under user domain
  • for user 503,
  • running a graphical interface with increased ID 100008. [19659046] Now you can select and control domains, name fields and uses for your demon.

    bootout means stopping a service running, for example:

    sudo launchctl bootout system / com.apple.netbiosd

    This stops the netbios daemon.

    __
    Let's go back to the service we created with this command:

    sudo launchctl load /Library/LaunchDaemons/local.updateHosts.plist Chapter19459011 ???? 1919199009007 ???? 19459006 Premiagram19459007] is the unique parameter you pass the entire path to the .plist file, all other launch commands work via reference from the domain hierarchy!

    So to print our service is: sudo launchctl print system / local.updateHosts
    you are not using the .plist extension and the reference is system / process.name

    The process name is what you define inside the .plist file under key Label :

       Label 
              local .updateHosts 
              ProgramArguments 
    
    

    bootstrap parameter is to force you to load your service while choosing which domain or namespace you want it to run, for example:

      sudo launchctl bootstrap user / 503 / Library / LaunchDaemons /local.updateHosts .plist`
    
    /Library/LaunchDaemons/local.updateHosts.plist: The service cannot be loaded in the requested session
    

    The returned error command because the .plist service only allows my service to run as a system service, otherwise it would have been started for user 503.

    bootstrap allows you to launch any service or XPC service package under other domains / namespace. Basically, you select a service AND a target for it to run.

    Additional syntax:

    sudo launchctl start system / local.updateHosts [19659007] sudo launchctl stop system / local.updateHosts

    sudo launchctl unload system / local.updateHosts

    sudo kickstart system / local.updateHosts


    To go extremely deep on this topic, I suggest this excellent documentation from Apple, it is very technical and very detailed:

    https://developer.apple.com/library/ archive / documentation / Darwin / Conceptual / KernelProgramming / contexts / contexts.html # // apple_ref / doc / uid / TP30000905-CH212-BEHJDFCA


Source link