Post not yet marked as solved
Hi Team,
We are using NETransparentProxyProvider, and we have observed that whenever we set setNetworkInterface with NENetworkRule, it always generates the DNS query even if the TTL time has not passed.
However, when I stop the NETransparentProxyManager using stopVPNTunnel and set setNetworkInterface as nil, it will not re-issue the DNS query until the DNS TTL time has passed.
I have a Network extension contains App Proxy and Content Filter.
After installation, extension process is not getting auto launch. We want to execute some code in main.swift.
extension process is getting launch on enabling either App Proxy or Content Filter.
how to launch network extension process after installation?
Installations Sample code:
let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: id, queue: .main)
OSSystemExtensionManager.shared.submitRequest(activationRequest)
Post not yet marked as solved
For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write).
I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned.
So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ?
Thanks.
Post not yet marked as solved
Platform: MacOS 12.0
I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store.
I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges.
So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension?
One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.
Post not yet marked as solved
Hi Team,
We are using NETransparentProxyProvider and have observed that AirDrop is not functioning.
I attempted to utilize protocolConfiguration in NETransparentProxyManager as mentioned below.
manager.protocolConfiguration?.excludeLocalNetworks = true;
but it did not work.
Could you please provide guidance on how to exclude local network traffic in NETransparentProxyProvider?
Post not yet marked as solved
I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart.
The only thing that I see is different is when I call systemextensionsctl list I get something like:
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
<TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category]
* * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled]
Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build.
The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign.
The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates.
Is there another step required to make it work with a developer ID certificate?
Post not yet marked as solved
If I do these tasks on random order, CMIO CameraExtension go into unstable condition.
Copy MyApp.app under /Applications or /Applications/MyAppGroup/
Install by MyApp sending OSSystemExtensionRequest.activationRequest
Check install condition by command : "systemextensionsctl list"
uninstall by MyApp sending OSSystemExtensionRequest.deactivationRequest
Remove /Applications/MyAppGroup/ by command line and Finder
Remove /Applications/MyApp.app by command line and Finder
Kill MyApp.app during activationRequest.
Once my CMIO CameraExtension go into unstable condition, it is impossible to remove on normal way.
"systemextensionsctl list" shows my extension is activated.
Remove by API failed with code=4.
Removing file of MyApp.app does not remove CameraExtension
Only way to remove CameraExtension is "Boot macOS as recovery mode", disable SIP, "systemextensionsctl uninstall"
Audio HAL extension is file based and ATOMIC. I can check file existence by "ls" command and remove by "rm -rf" command. I never met unstable condition.
Post not yet marked as solved
When my macOS app try to deactivate CameraExtension, my app's didFailWithError is called with this error.
Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"
I cannot search for error code=4 with that domain.
MyApp calls OSSystemExtensionManager.shared.submitRequest with OSSystemExtensionRequest.deactivationRequest
I did implement these tasks.
BundleID, MyApp: com.myapp,
BundleID, CameraExtension: com.myapp.camera
Added entitlement and App Groups for app and extension
MyApp has SystemExtension capability on Xcode and provision
MyApp is installed on /Applications/MyAppGroup/MyApp.app
MyApp is executed by Finder
macOS is Sonoma 14.2.1 (23C71) on M1 MacBook
Post not yet marked as solved
Hi!
There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle."
https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num
https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num
However, as we all know, system will kill ES client, if the message is not answered in (deadline) time.
I've a lot questions about this thing:
What the "drop" actually is? The event is not provided to es client from the kernel?
What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline)
Are the dropped events responded by the system immediately, or they do wait something?
Are only auth events could be dropped, or notify too?
What is the system resolution for dropped auth events? (allow I guess)
What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?
I have a recurring problem with software updates by Apple killing all networking when I have a network system extension distributed by TestFlight installed on my Mac.
Any pointers on how to resolve this would be greatly appreciated!
I don't know if it is my network system extension, the fact that it is distributed via TestFlight, or something else.
The latest example is updating to macOS 14.2 today.
I think the relevant Console message is:
Code has restricted entitlements, but the validation of its code signature failed.
The full message for that console message is.
mac_vnode_check_signature: /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: code signature validation failed fatally: When validating /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Deleting the app (with its network system extension) immediately restores networking.
I can reinstall the exact same program via TestFlight, and everything runs fine.
The feedback ID (which includes additional details, a screenshot, and a video) is: FB13458972
Post not yet marked as solved
Hi Team,
We are registering Network Extension on application launch. The application shows this dialog [Dialog attached].
The failing case
User press OK and hence, dismissing the user approval
User click on Apps UI -> Register
Register call the same API again i.e.
let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main)
4. This time, the dialog is not launched for the user. Whereas, we have observed, it does launch the dialog again on some of the machines.
5. User reboot the machine
6. Click App -> Register. Stil the same case, the dialog is not launched for user.
When I check the status using systemextensionsctl list
* [TeamId] com.company.extensionname (1.0.100/1.0.100) ExtensioName [activated waiting for user]
How can I force the launch of this dialog in API, so that, user can be guided to act upon it.
I have a system extension which contains 3 capabilities: App Proxy, Content Filter, Packet Tunnel.
System extension process doesn't auto stops on disabling all of its Capabilities: App Proxy, Content Filter, Packet Tunnel
How to make system extension process auto stop if all of its capabilities disabled?
Disable can happens via system extension hosting app or system preference network settings
I have following in mind:
Whenever we disables any capabilities via system extension hosting app, it can check if all others are disabled then
Use KILL bash command to terminate system extension process
System extension hosting app can send message via XPC to extension to terminate it self via NSApp.terminate
On disabling from system preference, ssystem extensions can check if all other disables in delegate method and terminate itself
I wanted to know what is better way to handle system extension process stop
I write an app to detect whether the specific system extension existed.
At the init() stage of the SwiftUI view, it will submit the request to get whether the specific system extension existed.
OSSystemExtensionManager.shared.submitRequest(request)
and receive the request using
func request(_ request: OSSystemExtensionRequest, foundProperties properties: [OSSystemExtensionProperties])
then display the result.
However, submitting request is a asynchronous process, I will get the result Not Found before receiving the request.
Is there any way to wait for OSSystemExtensionManager.shared.submitRequest(request) until it finishes its request?
In another question on this forum (https://developer.apple.com/forums/thread/124775) eskimo stated that launching a system extension from an daemon is not the right approach and that the OSSystemExtensionRequest.activationRequest API should be called from an App.
My question is, does this same restriction apply to a LaunchAgent started App?
If so, to ensure activation as soon as possible is the only option to use a SMLoginItemSetEnabled helper to start the App on login?
Post not yet marked as solved
We've recently noticed frequent crashes on the macOS system after an OS update when using the system extension with NETransparentProxyProvider. Below are the crash logs that appear in a pop-up after the machine starts.
I'm having difficulty understanding the exact point at which it crashes, and it shows my process below.
Panicked task 0xfffffe2d0a36abf8: 8190 pages, 143 threads: pid 9134: com.xxxx.na Panicked thread: 0xfffffe236ea13010, backtrace: 0xfffffe67858d2b80, tid: 337348
Detailed logs attached.
system_cash_log.txt
Post not yet marked as solved
Hi Team,
I have a Network Extension application and UI frontend for it.
The UI frontend talks to the Network Extension using XPC, as provided by NEMachServiceName.
On M2 machine,
The application and XPC connection works fine on clean installation.
But, when the application is upgraded, the XPC connection keeps failing.
Upgrade steps:
PreInstall script kills the running processes, both UI and Network Extension
Let installation continue
PostInstall script to launch the application after installation complete.
Following code is successful to the point of resume from UI application
NSXPCInterface *exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCUIObject)];
newConnection.exportedInterface = exportedInterface;
newConnection.exportedObject = delegate;
NSXPCInterface *remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCExtObject)];
newConnection.remoteObjectInterface = remoteObjectInterface;
self.currentConnection = newConnection;
[newConnection resume];
But it fails to get the object
id<IPCExtObject> providerProxy = [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *registerError) {
}];
Please note, this only fails for M2. For M1, this exact code is running fine.
Additionally, if I uninstall the application by dropping it in Trash and then installing the newer version, then too, the application works fine.
Post not yet marked as solved
Hi Team,
I'm currently using a system extension with NETransparentProxyProvider (with root privileges). I want to support custom DNS (specific to domains) with a search domain to accommodate a single-level domain support.
For this, I'm creating a new entry inside /etc/resolver/, using below command.
sudo sh -c 'echo "domain corp.test.com\nsearch corp.test.com\nnameserver 9.9.9.9\nnameserver 9.9.2.2" > /etc/resolver/corp.test.com'
The above command works fine for me when I execute it via the terminal, creating a new file inside the resolver as described below. So, when I access a single-label domain like https://test, it appends 'corp.test.com,' resulting in hitting the domain as https://test.corp.test.com. Furthermore, it selects either the DNS server 9.9.9.9 or 9.9.2.2.
File: /private/etc/resolver/corp.test.com
domain corp.test.com
search corp.test.com
nameserver 9.9.9.9
nameserver 9.9.2.2
File permission
total 8
-rw-r--r-- 1 root wheel 80 Dec 5 18:20 corp.test.com
scutil --dns
resolver #8
domain : corp.test.com
search domain[0] : corp.test.com
nameserver[0] : 9.9.9.9
nameserver[1] : 9.9.2.2
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
However, when I execute the same command within the extension using NSTask, it generates the new file but fails to work as per above.
it creates below file
File: /private/etc/resolver/corp.test.com
domain corp.test.com
search corp.test.com
nameserver 9.9.9.9
nameserver 9.9.2.2
File permission
total 8
-rw-r--r-- 1 root wheel 80 Dec 5 18:25 corp.test.com
scutil --dns
resolver #8
domain : corp.test.com
search domain[0] : corp.test.com
nameserver[0] : 9.9.9.9
nameserver[1] : 9.9.2.2
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
I don't notice any difference in file permissions and in scutil --dns entry.
even we tried running sudo killall -HUP mDNSResponder to refresh its records.
Could you please suggest what might be the reason?
Post not yet marked as solved
Hey team,
We have a use case where we need to block all the MacOS network traffic except our app's network traffic.
But I don't find any apis from apple with that capability.
I see using NEFilterSettings, we can allow the required endpoints and block all the other endpoints we get from handleNewFlow(_ flow:. But this api has a control in endpoint level not the app level.
Could you suggest if we have any other apis for this use case? Thanks
Post not yet marked as solved
Hi,
I am writing a transparent proxy (using NETransparentProxyProvider) which could potentially multiplex thousands of flows.
When i've done this in the past on other platforms i've used libev or epoll - but NEAppProxyFlow (such as NEAppProxyTcpFlow) don't work with any of those approaches afaict, it doesn't even appear to work with swift-nio - what is the recommended way to multiplex thousands of flows?
I still intend to use swift-nio when i manage the real sockets (which proxy the flows), but how do i multiplex the NEAppProxyFlows themselves? Can someone suggest a highly scalable design? I'm new to this, and haven't found a good solution yet.
Thanks
Someone else may want to test this with their network system extension, but I found a nasty interaction with Apple's latest software update for Safari and my network system extension.
Summary: When I had my network system extension installed and updated to Safari 17.1.2, all networking was lost.
I first ran into this problem yesterday and documented in this thread. Today, I tried to pin it down on Ventura.
This test
Hardware: M1 Mac mini
OS: macOS Ventura 13.6.1 (downloaded from Mac App Store)
Safari version 16.6
Network system extension (mine)
When I updated to Safari Version 17.1.2, I lost all networking!
Furthermore, I could not uninstall my network extension. Deleting the app with the network system extension didn't help.
Fix 1:
Disabled SIP
Removed my network system extension (at which point networking worked fine again)
Reenabled SIP
Reinstalled my network system extension
Everything works fine.
Fix 2
I re-ran the experiment (same initial set up)
Hardware: M1 Mac mini
OS: macOS Ventura 13.6.1 (downloaded from Mac App Store)
Safari version 16.6
Network system extension (mine)
This time:
I removed my network system extension first
I updated to Safari 17.1.2 (this time no problems)
I reinstalled my network system extension
Everything works fine
Having the network system extension in place and then updating Safari to 17.1.2 broke things pretty badly for me.
Was there something I did wrong with my network system extension design?