XprotectService hangs on to a file on my disk image and won’t let it unmount (10.13)

Number:rdar://32791689 Date Originated:2017-06-15
Status:Duplicate/31180841 (Closed) Resolved:2017-09-06
Product:macOS + SDK Product Version:10.13db1 17A264c
Classification:Serious Bug Reproducible:Always
In 10.13db1 17A264c:

When attempting to run a quarantined Google Chrome from its disk image downloaded from the web, XprotectService opens the main executable and holds on to it. XprotectService maintains this open file descriptor, preventing the disk image from being unmounted cleanly. This open file descriptor persists even after Chrome is quit. In fact, it’s not necessary to even allow Chrome to ever launch. Once you attempt to launch the quarantined app, it’s verified, and you’ll be asked if you want to launch it or not. You can cancel at this point without ever running Chrome, and XprotectService will have opened a file descriptor that it won’t close.

Steps to Reproduce:
1. Download Google Chrome from https://www.google.com/chrome/browser/desktop/. This will give you a quarantined “googlechrome.dmg”.
2. Double-click googlechrome.dmg to mount it. After verification, this will result in a volume named “Google Chrome” being mounted.
3. In the newly mounted volume, double-click the Google Chrome app icon.
4. After verification, you’ll be asked if you want to launch the quarantined app. You can click “Cancel”. (You can also click “Open”. It doesn’t matter at this point. You never need to actually run Chrome to experience this bug, you just need to get to this dialog box.)
5. Try to unmount (eject) the Google Chrome volume.

Expected Results:
The volume should unmount cleanly.

Observed Results:
A dialog box appears saying:

The disk “Google Chrome” wasn’t ejected because one or more programs may be using it.
To eject the disk immediately, click the Force Eject button.
[Cancel] [[Force Eject…]]

You can see that XprotectService is responsible:

$ fuser -c /Volumes/Google\ Chrome
/Volumes/Google Chrome: 493
$ ps -fp 493
  UID   PID  PPID   C STIME   TTY           TIME CMD
  501   493     1   0  3:12PM ??         0:00.16 /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
$ lsof -p 493
XprotectS 493 litterbox  cwd    DIR    1,2       1190      2 /
XprotectS 493 litterbox  txt    REG    1,2      93824 381018 /System/Library/PrivateFrameworks/XprotectFramework.framework/Versions/A/XPCServices/XprotectService.xpc/Contents/MacOS/XprotectService
XprotectS 493 litterbox  txt    REG    1,2      32768 519150 /private/var/db/mds/messages/501/se_SecurityMessages
XprotectS 493 litterbox  txt    REG    1,2     376752 265514 /System/Library/Frameworks/Security.framework/Versions/A/PlugIns/csparser.bundle/Contents/MacOS/csparser
XprotectS 493 litterbox  txt    REG    1,2   26687888 408037 /usr/share/icu/icudt59l.dat
XprotectS 493 litterbox  txt    REG    1,2     800944 402252 /usr/lib/dyld
XprotectS 493 litterbox  txt    REG    1,2 1128288256 499144 /private/var/db/dyld/dyld_shared_cache_x86_64
XprotectS 493 litterbox    0r   CHR    3,2        0t0    299 /dev/null
XprotectS 493 litterbox    1u   CHR    3,2        0t0    299 /dev/null
XprotectS 493 litterbox    2u   CHR    3,2        0t0    299 /dev/null
XprotectS 493 litterbox    4r   REG    1,2   63376898 519815 /Users/litterbox/Downloads/googlechrome.dmg
XprotectS 493 litterbox    5r   REG    1,6      19088     35 /Volumes/Google Chrome/Google Chrome.app/Contents/MacOS/Google Chrome


2017-09-06 19:29 UTC from Apple

The original report on your issue has been closed recently. Please note that you will not be able to directly view the original report in order to keep its information confidential.

If you have further questions about this issue, please update your report using the Apple Bug Reporter .

2017-06-22 07:23 UTC from Apple

Engineering has determined that your bug report is a duplicate of another issue and will be closed.

The open or closed status of the original report your bug was duplicated to appears in a text box within the bug detail section of the bug reporter user interface. For security and privacy reasons, we don't provide access to the original bug yours was duped to.

If you have any questions or concerns, please update your report directly at this link: https://bugreport.apple.com/.

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!