XprotectService hangs on to a file on my disk image and won’t let it unmount (10.13)
Originator: | mark | ||
Number: | rdar://32791689 | Date Originated: | 2017-06-15 |
Status: | Duplicate/31180841 (Closed) | Resolved: | 2017-09-06 |
Product: | macOS + SDK | Product Version: | 10.13db1 17A264c |
Classification: | Serious Bug | Reproducible: | Always |
In 10.13db1 17A264c: When attempting to run a quarantined Google Chrome from its disk image downloaded from the web, XprotectService opens the main executable and holds on to it. XprotectService maintains this open file descriptor, preventing the disk image from being unmounted cleanly. This open file descriptor persists even after Chrome is quit. In fact, it’s not necessary to even allow Chrome to ever launch. Once you attempt to launch the quarantined app, it’s verified, and you’ll be asked if you want to launch it or not. You can cancel at this point without ever running Chrome, and XprotectService will have opened a file descriptor that it won’t close. Steps to Reproduce: 1. Download Google Chrome from https://www.google.com/chrome/browser/desktop/. This will give you a quarantined “googlechrome.dmg”. 2. Double-click googlechrome.dmg to mount it. After verification, this will result in a volume named “Google Chrome” being mounted. 3. In the newly mounted volume, double-click the Google Chrome app icon. 4. After verification, you’ll be asked if you want to launch the quarantined app. You can click “Cancel”. (You can also click “Open”. It doesn’t matter at this point. You never need to actually run Chrome to experience this bug, you just need to get to this dialog box.) 5. Try to unmount (eject) the Google Chrome volume. Expected Results: The volume should unmount cleanly. Observed Results: A dialog box appears saying: The disk “Google Chrome” wasn’t ejected because one or more programs may be using it. To eject the disk immediately, click the Force Eject button. [Cancel] [[Force Eject…]] You can see that XprotectService is responsible: $ fuser -c /Volumes/Google\ Chrome /Volumes/Google Chrome: 493 $ ps -fp 493 UID PID PPID C STIME TTY TIME CMD 501 493 1 0 3:12PM ?? 0:00.16 /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService $ lsof -p 493 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME XprotectS 493 litterbox cwd DIR 1,2 1190 2 / XprotectS 493 litterbox txt REG 1,2 93824 381018 /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService XprotectS 493 litterbox txt REG 1,2 32768 519150 /private/var/db/mds/messages/501/se_SecurityMessages XprotectS 493 litterbox txt REG 1,2 376752 265514 /System/Library/Frameworks/Security.framework/Versions/A/PlugIns/csparser.bundle/Contents/MacOS/csparser XprotectS 493 litterbox txt REG 1,2 26687888 408037 /usr/share/icu/icudt59l.dat XprotectS 493 litterbox txt REG 1,2 800944 402252 /usr/lib/dyld XprotectS 493 litterbox txt REG 1,2 1128288256 499144 /private/var/db/dyld/dyld_shared_cache_x86_64 XprotectS 493 litterbox 0r CHR 3,2 0t0 299 /dev/null XprotectS 493 litterbox 1u CHR 3,2 0t0 299 /dev/null XprotectS 493 litterbox 2u CHR 3,2 0t0 299 /dev/null XprotectS 493 litterbox 4r REG 1,2 63376898 519815 /Users/litterbox/Downloads/googlechrome.dmg XprotectS 493 litterbox 5r REG 1,6 19088 35 /Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome
Comments
Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!
2017-09-06 19:29 UTC from Apple
The original report on your issue has been closed recently. Please note that you will not be able to directly view the original report in order to keep its information confidential.
If you have further questions about this issue, please update your report using the Apple Bug Reporter .
2017-06-22 07:23 UTC from Apple
Engineering has determined that your bug report is a duplicate of another issue and will be closed.
The open or closed status of the original report your bug was duplicated to appears in a text box within the bug detail section of the bug reporter user interface. For security and privacy reasons, we don't provide access to the original bug yours was duped to.
If you have any questions or concerns, please update your report directly at this link: https://bugreport.apple.com/.