System Extensions

RSS for tag

Install and manage user space code that extends the capabilities of macOS using System Extensions.

Posts under System Extensions tag

105 Posts
Sort by:

Post

Replies

Boosts

Views

Activity

On Sonoma 14.5, after upgrading CMIO CameraExtension, daemon is not running
I made CameraExtension and installed by OSSystemExtensionRequest. I got success callback. I did uninstall old version of my CameraExtension and install new version of my CameraExtension. "systemextensionsctl list" command shows "[activated enabled]" on my new version. But no daemon process with my CameraExtension is not running. I need to reboot OS to start the daemon process. This issue is new at macOS Sonoma 14.5. I did not see this issue on 14.4.x
0
0
76
1d
sysext crashed while sending lots of log to host app
hi all. I subscribe the notify write event, every time I recieve a notify write event message i will send log data and reply block(didn't do nothing) with async method to host app(Objc XPC API).host app will reply immediately once it recieves data. after a while my sysext crashed, then I checked system log find the log below. launchd: exited with exit reason (namespace: 30 code: 0xc40000000004aaaa) - (unknown reason) is it because of exceeding the maximum limit of xpc's block queue length, or too many memory allocation, or... by the way, host app didn't crash. how this happened exactly? how could i solve it?
2
0
70
1d
How to use camera extension with external app
Hi, I'm new to coding for MacOS but I'm building a Godot app that I wish to be able to have create a virtual camera on MacOS via button click. I plan to use the GDExtension feature to interface with code for MacOS to do this. I was looking into what would be involved with this and came across the Camera Extension that can be bundled with MacOS apps that can be used to create a virtual camera. Is it possible to bundle this extension with a library or framework that I can then interact with using C++ in a GDExtension (an external app). I realise the extensions can only be registered from within the Application folder so the assumption is that the Godot app would be installed there.
1
0
88
3d
Image resources do not load in Mail application when System Extension is Installed
When our NETransparentProxyProvider system extension is installed on the system it seems that external images from emails do not load on the Mail application. The extension does not have to be running to experience this issue. When we uninstall the extension, these same images load on the Mail application. Another way to get the images to load seems to be to disable "Hide IP address" under Settings > Privacy. We can see this issue present on the latest macOS 14.5. I have filed FB13805670 for this issue. Please advise if this is a known issue or if there is a solution.
1
0
94
3d
Auto-enable of Content Filter on macOS (after pushing required MDM payloads)
Hi all, I'm working on a small PoC to get Content Filtering (FilterDataProvider) working on macOS without any user interaction. So far, I've pushed two payloads to my machine using user-approved MDM enrollment: com.apple.system-extension-policy com.apple.webcontent-filter The application containing the network extension is present in /Applications. The installation of the profiles both succeed and I can see a Content Filter is created in the Network section of System Settings. Even the status says "Enabled", but the dot remains orange. Inspecing the system logs (specifically: filtering on process:neagent) shows me the following error: 1. Failed to find a com.apple.networkextension.filter-data extension inside of app com.my.app.containing.the.ext Only when I submit an activation request using OSSystemExtensionRequest.activationRequest, the network extension starts (without prompts, as expected) and everything works. Is this expected behaviour? Do I need to submit an activation request through code regardless of the fact that MDM pre-approved the System Extension prompts and created the Content Filter in the System Settings?
0
0
197
2w
the problem of high CPU usage of network extension (filter-data)
OS Version: macOS 13.6.3 (22G436) Code Type: ARM64 We recently observed that the system extension process CPU based on networkextension (data-filter firewall) has been 99% busy for a period of time. We try to deauthorize data-filter so that the firewall stops working and the NEFilterDataProvider object is released. However, the system extension process CPU usage is always 99% busy. Then I used Instruments-CPU Counters to observe that a thread (thread id: 0x2abf9b) has been busy, but no useful backtrace information was captured. Through the sample command, I caught the backtrace and found that the busy process (thread id: 2801563 == 0x2abf9b) is in this state. 35 Thread_1336407 DispatchQueue_442: NEFilterExtensionProviderContext queue (serial) + 35 start_wqthread (in libsystem_pthread.dylib) + 8 [0x1a1afad94] + 35 _pthread_wqthread (in libsystem_pthread.dylib) + 288 [0x1a1afc074] + 35 _dispatch_workloop_worker_thread (in libdispatch.dylib) + 648 [0x1a1963244] + 35 _dispatch_lane_invoke (in libdispatch.dylib) + 384 [0x1a19585f8] + 35 _dispatch_lane_serial_drain (in libdispatch.dylib) + 372 [0x1a1957960] + 35 _dispatch_source_invoke (in libdispatch.dylib) + 1176 [0x1a1966ce0] + 35 _dispatch_source_cancel_callout (in libdispatch.dylib) + 204 [0x1a1967890] + 35 _dispatch_continuation_pop (in libdispatch.dylib) + 504 [0x1a1953884] + 35 _dispatch_client_callout (in libdispatch.dylib) + 20 [0x1a1950400] + 35 _dispatch_call_block_and_release (in libdispatch.dylib) + 32 [0x1a194e874] + 35 __75-[NEFilterDataExtensionProviderContext setupSocketSourceWithControlSocket:]_block_invoke (in NetworkExtension) + 112 [0x1b1e0dd74] + 35 close (in libsystem_kernel.dylib) + 8 [0x1a1ac0ac0] note: the picture screenshot and the text description backtrace are from different machines, but the problem is the same. This seems to be a newly introduced bug in the network extension? This problem did not occur for a long time between 10.15 and 10.12.
1
0
189
3w
Mac shutdown is calling PacketTunnelProvider::stopTunnelWithReason
MacOS Version: 14.3 (23D56) In my testing of PacketTunnelProvider on MacOS I have observed that when I do a system shutdown or reboot, PacketTunnelProvider::stopTunnelWithReason() is getting called with reason: NEProviderStopReasonUserInitiated. Note: when I try to disconnect the VPN from system settings PacketTunnelProvider::stopTunnelWithReason() is called with the same reason: NEProviderStopReasonUserInitiated. I am facing an issue here to identify what caused PacketTunnelProvider::stopTunnelWithReason(), system shutdown or any user action?
3
0
297
4w
Track socket listen events for an endpoint security product
Hello! I'm trying to capture socket state changes for an endpoint security product and have tried the Endpoint Security APIs as well as a Network Extension but there doesn't seem to be a way to detect listening sockets in real time. I've so far been able to capture all process, file and network flow/packet information in real-time but I'm also interested in getting an event when a server socket is opened for listening for incoming connections. Is there a way to do this? If yes, can someone please point me to the documentation or any other information on how to go about it? Thanks!
1
0
199
4w
PKG Installer postinstall script not executing in Sonoma
Hi, we have an app that has been in development since Catalina and ever since Sonoma came out we noticed that when executing our pkg installer the application is installed correctly but the postinstall script is not executed. The weird thing is that if I run the pkg for the first time the postinstall does not execute BUT if I run it again then it DOES!! Looking through the logs I found these ones that confirm the execution of the script is being blocked. We haven't changed anything in the way we build the installer so I'm not quite sure how to fix this. 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Unable (errno: 2) to read file at <private> for pid: 784 process path: <private> library path: (null) 2024-04-25 16:29:51.570662-0300 0x1c62 Error 0x0 308 0 syspolicyd: [com.apple.syspolicy.exec:default] Terminating process due to Malware rejection: 784, <private> 2024-04-25 16:29:51.570679-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Sleep interrupted, signal 0x100 2024-04-25 16:29:51.570682-0300 0x1d13 Default 0x0 0 0 kernel: (AppleSystemPolicy) ASP: Security policy would not allow process: 784, /private/tmp/PKInstallSandbox.m5Av3O/Scripts/com.mycompany.myapp.pkg.BSOjtt/postinstall The app as well as the installer are both signed, notarized and stapled. Here you can see the script which just simply executes the app. #!/bin/bash echo "Running postinstall" /Applications/myapp.app/Contents/MacOS/myapp --load-system-extension & exit 0 Any help would be much appreciated. Thanks!
4
0
289
4w
Installation fails when postinstall in mpkg installs a pkg
I have an installation workflow that works by a user double clicking on the mpkg and going through the prompts to install some software. Within the postinstall of the mpkg, /usr/sbin/installer -pkg "path_to_pkg" -target / is done to install additional software. The software contained in the mpkg contains system extensions and installs without issue. The software contained in the pkg file also contains system extensions and a prompt with this message displayed. "XSoftware" is damaged and can't be opened. You should move it to the Trash This file was downloaded on an unknown date. This is causing issues with the system extension being installed from XSoftware. Curiously enough, when I run /usr/sbin/installer -pkg "path_to_pkg" -target / manually in a terminal window it works successfully and XSoftware is able to install the System Extensions and run properly. I've used the pkgutil --check-signature to check the notarization and signing and it looks correct. This is my dmg structure: dmg | mpkg data_folder | pkg Any suggestions or help would be greatly appreciated. I can provide more details if neccessary.
0
0
191
May ’24
Endpoint Security signing issues
I'm trying to sign a macOS application which includes a Endpoint Security system extension. The profile for the extension has capability added and the app profile has the System Extension capability added. Both targets also has the correct entitlements, but when validating the app after archiving I get the following error: "Profile doesn't support Endpoint Security." When looking in the logs I can see that Xcode is fetching a provisioning profile for the extension without the needed capability. If downloading the profile from the developer portal the correct capability is present. Could something be "out of sync" regarding what provisioning profiles Xcode fetches vs what I see on the developer portal? If I try to archive using xcodebuild I get the following: "APP requires a provisioning profile with the System Extension feature." and ""BUNDLE_ID.systemextension" requires a provisioning profile with the Endpoint Security feature." I have tried with automatic and manual signing but nothing seems to work.
6
0
430
Apr ’24
App translocation and TestFlight
Hi, We have an app that installs a number of system extensions. According to this documentation the app must be located in the Applications folder to be activated so when the app launches we check that it is running from /Applications (or a subfolder) and if it isn't we inform the user and exit. This has been working fine until a recent submission whereupon installing the app via TestFlight casuses it to be translocated when run and our check to fail. So, a couple of questions: Is it expected that an app installed via TestFlight (or indeed the AppStore) can be translocated when it is run? If yes to the above, how can we ensure that out app is running from Applications and can therefore activate its extensions? Thanks Alan
6
0
810
Apr ’24
[macOS]: In sonoma 14.4, Network issues and devices hanging after waking from sleep.
HI Team, We have recently observed a network issue, followed by device hang-ups when users come out of sleep while using the Transparent app proxy provider in Sonoma 14.4. and users are required to restart the system to resolve the problem. In the client logs, we observed that State:/Network/Global/IPv4 does not have any PrimaryInterface and there is no internet connectivity, although the internet works fine on other devices. this issue start coming in sonoma 14.4 and happen with Transparent app proxy provider. We are currently unable to pinpoint the exact issue. Are there any known issues with Sonoma 14.4?
1
0
381
Apr ’24
Detecting Fast-User Switch with a Network System Extension
I am running into an issue with running a PacketTunnelProvider as a system extension, and fast user switching. Since the VPN is running as root, it runs outside any user context, and is accessible to all users on the machine. I can see the following behavior: Login to User A Connect VPN Fast switch to user B Open Safari, observe that traffic is directed and sent out the VPN. (As noted by the ability to browse otherwise un-reachable websites). Is there a way to detect that a fast user switch is happening? And disconnect the VPN when user B takes control of the screen. I know NSWorkspace is not a daemon-safe API. So NSWorkspaceSessionDidResignActiveNotification and like will not be useful here. One alternative would be to use NSWorkspace notifications in the GUI and alert the system extension via XPC. But that wouldn't work in the case where there isn't a GUI, such as with ConnectOnDemand. Is there a daemon-safe API to use or some other alternative? Thanks
3
0
317
Apr ’24
System Extension deactivationRequest fails with error "The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.)"
We have a main app that handles UI and interaction with the user. And we also have daemon contained inside of it. Daemon has all the business logic and FDA and root permissions. Now we want to add a network extension. First we added the Network Extension to Main app and it was working fine (to test the waters). But then we decided to move it to Daemon since it has all the business logic and NE mostly contains business logic and no UI. It needs to be there. Now NE activationRequest(forExtensionWithIdentifier is working fine. But deactivationRequest(forExtensionWithIdentifier: during uninstall always fails with this error System Extension deactivationRequest fails with error he operation couldn’t be completed. (OSSystemExtensionErrorDomain error 13.) OSSystemExtensionError Code 13 says "An error code that indicates the system was unable to obtain the proper authorization." What does this actually mean. Also if there is an error why is it throwing it during uninstall rather than install? To make it more clear this is our app structure is Main.app -> Contents -> Mac OS -> Daemon.app -> Contents -> Library -> SystemExtensions -> System Extension Bundle Apple doc says @discussion This method creates a new request to activate/deactivate a System Extension. Extensions are discovered from the `Contents/Library/SystemExtensions` directory of the main application bundle. Our System Extension is present on the main app bundle and has Contents/Library/SystemExtensions structure but one extra layer deep. Is this supported app structure?. If not is there any way to succesfully uninstall NE from code. Right now systemextensionsctl uninstall won't work without System Integrity Protection disabled. Keeping NE on the main app will break our project structure and require major rewrite of the app. Also whenever I run systemextensionsctl with SIP on I get this message At this time, this tool cannot be used if System Integrity Protection is enabled. This limitation will be removed in the near future. Please remember to re-enable System Integrity Protection! Apple introduced System Extensions in 2019. It is still not there yet. Does anybody have any idea when will Apple make it work? if at all?
2
0
416
Apr ’24
How to configurable endpoint security message deadline value by which app should respond?
As enterprise endpoint security/data loss prevention application, we need to detect data which is being transferred out of the enterprise context from their MacOS filesystem through applications like Cloud Sync or Email. Depending on the file content, type and size, we require some time for scanning the content being sent. This can range from milli seconds to few minutes for very large contents. But the Endpoint Security message has to be responded within the provided message deadline else application will be killed. This deadline is reducing with every macos release and its now only 15 seconds on macos sonoma which is blocking our use case of completing the scan before responding. We may scan it before but it imposes challenges of the data being modified before actual sent. So, we have to scan it on the fly and cant rely solely on the previous scans. Is there any way an Enterprise can customize this deadline value depending on the ES message and scanning application may be through MDM setting?
1
1
382
Mar ’24
Launch Agent service not starting post login
We have a test scenario where we install our app package on a Mac setup using MDM (Jamf). Below are the test steps and observation: This installation is done on this Mac with no user logged in. Installation is completed successfully. Now when an user log in on this mac machine, the expectation is that the app bundle will be started by the launchd (RunAtLoad). But the app is not started. When I check console logs I could see few logs around the app but from those logs I couldn't figure out why the app didn't start. I rebooted my test machine but that also didnt start my app. My app is not listed in 'launchctl list' command. My App bundle contains container app and a packet tunnel extension. Below is how my plist file looks like in '/Library/LaunchAgents/com.****.***ui.plist': { KeepAlive = 1; Label = "com.*****.client.****ui"; LimitLoadToSessionType = ( Aqua ); ProgramArguments = ( "/Applications/*********.app/Contents/MacOS/****Module" ); RunAtLoad = 1; SuccessfulExit = 1; Version = "110.200.0.100"; } In Console below are the last set of log which I could find related to my app: support_log.txt In above logs below statement mentions the extn which is related to my app bundle: 2024-03-19 15:48:55.256020+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] [Skipping first 85 of 95 entries] 2024-03-19 15:48:55.256051+0530 0x462 Default 0x0 206 0 symptomsd: (SymptomEvaluator) [com.apple.symptomsd:analytics] entry: Thu Feb 8 20:48:26 2024 NetworkExtension.com.*****.client.*****-Client.*****ui.*****pkttunnel.104.2.12.191.104.2.12 (bundle) 0 0 0 0 0 0 Can someone please help me in understanding what could be wrong here, why would 'RunAtLoad' key word wont work here to start my app on user login or reboot? Note: Everything work fine when my app is installed with an user logged in to the test machine. Also App starts successfully if I run command 'lauchctl bootstrap gui/ /Library/LaunchAgents/com.****.****ui.plist' in the above mentioned test scenario where app didnt auto start by launchd: 'RunAtLoad'.
8
0
524
Mar ’24
Can't receive notification from Camera Extension(Swift) to observer application (obj-c++)
Both the extension and the receiving application are in the same app group. I can't find the issue. It doesn't seem to be a problem with entitlements. Maybe an issue with the string formatting/conversion? Maybe I am not allowed to send distributed center notifications from the camera extension? I am sending the notification calling: func notifyChangeInUsage() { os_log("Notifying the virtual camera change in usage", log: cdsLog, type: .info) // this is logged DistributedNotificationCenter.default().postNotificationName(NSNotification.Name("VirtualCamUsageChanged"), object: nil, userInfo: nil, deliverImmediately: true) } And receiving it in the other end, subscribing with std::string notification = "VirtualCamUsageChanged" [mObserverClassInstance subscribe:@(notification.c_str())]; where subscribe is the following method, which is tested to be working. - (void)subscribe:(NSString *)notification { [[NSDistributedNotificationCenter defaultCenter] addObserver:self selector:@selector(callCallback:) name:notification object:nil suspensionBehavior:NSNotificationSuspensionBehaviorDeliverImmediately]; }
3
0
439
Mar ’24
Problems with FlowData in Data Filter
hi,all readBytes: An NSData object containing the data to filter. For non-UDP/TCP flows, since the data may optionally include the IP header, readBytes includes a 4-byte NEFilterDataAttribute field preceding the user data. Your handler must examine the NEFilterDataAttribute field and handle the data accordingly. the param above in method handleInboundDataFromFlow:readBytesStartOffset:readBytes: i assume it contains a 4-byte NEFilterDataAttribute field preceding the user data all the time, is it normal that i get a NEFilterDataAttribute: 1099782776645(and some other very big number) const NEFilterDataAttribute* dataAttr = readBytes.bytes; NSLog(@"NEFilterDataAttribute: %ld",*dataAttr); and after the initial 4 bytes, if the offset param is 0, can i assume that UDP/TCP or IP packet headers can be extracted from the data?
1
0
452
Mar ’24