Skip to content

⚙️ System extension

What is a system extension?

A system extensions are user space replacements of the legacy Kernel Extensions (KEXT). System extensions access sensitive system information, so developers need to request a special permission from Apple to work with theese APIs. From user perspective system extensions look like usual macOS applications, but under the hood they embed an "extension" binary, which can only be loaded with manual user approval. The macOS GUI application is a wrapper around the extension to handle user interactions and approval. The only way to avoid manual system extension approval is using MDM.

logga is a so called Endpoint Security system extension. Endpoint Security is system events monitoring API which enables reacting to different event types and signals.

How to check if a system extension is loaded?

In the example below can be seen the lifecycle of a System extension.

  1. First the extension is active (loaded) but not approved by user.
  2. After the user approve the extension, it becomes enabled. This is when the extension fully operates.
  3. When the user unloads the extension, it goes into a terminated state. It will eventually disappear after a reboot.
bash
$ systemextensionsctl list
3 extension(s)
--- com.apple.system_extension.endpoint_security
enabled	active	teamID	bundleID (version)	name	[state]
        *	    TU5C5A99Z3	com.logga.client.extension (1.0/1)	Extension	[activated waiting for user]
*	    *	    TU5C5A99Z3	com.logga.client.extension (1.0/1)	Extension	[activated enabled]
		        TU5C5A99Z3	com.logga.client.extension (1.0/1)	Extension	[terminated waiting to uninstall on reboot]

When active, logga writes logs to the following paths by default:

# Audit logs
/Library/Application\ Support/Logga/audit.log

# Access logs
/Library/Application\ Support/Logga/access.log

# Unified logs
/Library/Application\ Support/Logga/unified.log

# archive, if compression is enabled
/Library/Application\ Support/Logga/audit.<hostname>.local_<unix_t>.archive

# Error logs (logga errors for debugging)
/Library/Application\ Support/Logga/error.log