Endpoint Security client that sends SIGSTOP to newly spawned processes

stop_at_entry.c

// To compile: clang stop_at_entry.c -lbsm -lEndpointSecurity -o stop_at_entry,
// then codesign with com.apple.developer.endpoint-security.client and run the
// program as root.

#include <EndpointSecurity/EndpointSecurity.h>
#include <assert.h>
#include <bsm/libbsm.h>
#include <dispatch/dispatch.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>

int main(int argc, char **argv) {
	if (argc != 2) {
		fprintf(stderr, "Usage: %s <partial process name>\n", *argv);
		exit(1);
	}
	char *process = *++argv;

	es_client_t *client = NULL;
	assert(es_new_client(&client, ^(es_client_t *client, const es_message_t *message) {
		switch (message->event_type) {
		case ES_EVENT_TYPE_AUTH_EXEC: {
			const char *name = message->event.exec.target->executable->path.data;
			if (strstr(name, process)) {
				pid_t pid = audit_token_to_pid(message->process->audit_token);
				printf("Sending stop signal to %d (%s)\n", pid, name);
				kill(pid, SIGSTOP);
			}
			es_respond_auth_result(client, message, ES_AUTH_RESULT_ALLOW, false);
			break;
		}
		default:
			assert(false && "Unexpected event type!");
		}
	}) == ES_NEW_CLIENT_RESULT_SUCCESS);
	es_event_type_t events[] = {ES_EVENT_TYPE_AUTH_EXEC};
	assert(es_subscribe(client, events, sizeof(events) / sizeof(*events)) == ES_NEW_CLIENT_RESULT_SUCCESS);
	dispatch_main();
}