Post not yet marked as solved
I want to prevent the root user from uninstall my EndpointSecurity System Extension.
I succeeded to deny this when he removes with Terminal command, by intercepting ES_EVENT_TYPE_AUTH_RENAME
and ES_EVENT_TYPE_AUTH_UNLINK
events and answering ES_AUTH_RESULT_DENY
for the Extension's application in /Applications folder.
However, when the user drag&drops the Extension's application to the Trash, he succeeds. More than that, it looks like I don't receive any event about it in the Extension.
Thanks.
I'm debugging a USB DriverKit driver, and noticed the os_log messages during the kernel verification checks do not have a subsystem (not my driver's logging):
{
"traceID" : 44303244788367364,
"eventMessage" : "DK: G600Driver-0x1002dd073: family entitlements check failed",
"eventType" : "logEvent",
"source" : null,
"formatString" : "DK: %s-0x%qx: family entitlements check failed\n",
"activityIdentifier" : 0,
"subsystem" : "",
"category" : "",
"threadID" : 2655768,
"senderImageUUID" : "198748B0-2858-345A-957A-45C9ACB4C2F2",
"backtrace" : {
"frames" : [
{
"imageOffset" : 9007231,
"imageUUID" : "198748B0-2858-345A-957A-45C9ACB4C2F2"
}
]
},
"bootUUID" : "",
"processImagePath" : "\/kernel",
"timestamp" : "2022-06-14 01:57:51.171906-0700",
"senderImagePath" : "\/kernel",
"machTimestamp" : 281599031530198,
"messageType" : "Default",
"processImageUUID" : "198748B0-2858-345A-957A-45C9ACB4C2F2",
"processID" : 0,
"senderProgramCounter" : 9007231,
"parentActivityIdentifier" : 0,
"timezoneName" : ""
}
Is there a recommended way (other than substring matching on the driver name) to create a predicate for filtering the log to messages relevant to my driver? Thanks.
I understand that the knee-jerk response to this is that the related app is not properly signed/notarized. But this failure is occurring for some of my customers despite a properly signed SEP app (Symantec Endpoint Protection version 14.3 RU3). I've discovered that an additionally installed product can cause this in some instances—the WSS agent (Symantec Web Security Service). When WSS is also installed I get the same SEP activation error and results from command-line check of SEP:
% spctl --assess --verbose /Applications/Symantec\ Endpoint\ Protection.app
/Applications/Symantec Endpoint Protection.app: rejected
source=Unnotarized Developer ID
...and when I remove WSS, this same check is OK and the SEP systemextension activation is successful:
% spctl --assess --verbose /Applications/Symantec\ Endpoint\ Protection.app
/Applications/Symantec Endpoint Protection.app: accepted
source=Notarized Developer ID
So, my question is: how could WSS (or any other product or configuration) be interfering with the notarization check of another app? In most cases of this, WSS is not installed and I don't know where to look for the interference. The work-around so far has been to install the previous version of SEP (14.3 RU2) then upgrade to RU3 and that (oddly enough) is OK. I am working with the SEP developers already on this and am looking in parallel for some direction I can point them. Thanks.
Post not yet marked as solved
Hi, I have been following the steps presented in
https://developer.apple.com/documentation/coremediaio/creating_a_camera_extension_with_core_media_i_o
to create a core media I/O camera.
However when calling
let activationRequest = OSSystemExtensionRequest.activationRequest(
forExtensionWithIdentifier: identifier, queue: .main
)
activationRequest.delegate = installDelegate
OSSystemExtensionManager.shared.submitRequest(activationRequest)
The delegate's request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) method is being called with error code 9 (OSSystemExtensionError.Code.validationFailed) and the system dialog does not appear.
Post not yet marked as solved
I developed a screen watermarking program that worked fine before macOS 12.4.
After upgrading to 12.4, "System Extension Blocked" pop-up cann't be click, but the other window is ok.
Any body can tell me the macOS 12.4 has do what to "System Extension Blocked" pop-up !!! my sample code like this
code-block
NSScreen *screen = [NSScreen screens][0];
CGFloat windowWidth = screen.frame.size.width;
CGFloat windowHeight = screen.frame.size.height;
CGFloat x = screen.frame.origin.x;
CGFloat y = screen.frame.origin.y;
MyView* view = [[MyView alloc]initWithFrame:NSMakeRect(0, 0, windowWidth, windowHeight)];
NSWindow* window = [[NSPanel alloc] initWithContentRect:NSMakeRect(0, 0, windowWidth, windowHeight)
styleMask: NSWindowStyleMaskBorderless | NSWindowStyleMaskNonactivatingPanel
backing:NSBackingStoreBuffered
defer:NO];
[window setOpaque:NO];
[window setBackgroundColor:[NSColor clearColor]];
[window setCollectionBehavior:NSWindowCollectionBehaviorCanJoinAllSpaces | NSWindowCollectionBehaviorFullScreenAuxiliary];
[window setIgnoresMouseEvents:YES];
[window setHasShadow:NO];
[window setLevel:NSScreenSaverWindowLevel];
[window setContentView:views];
[window makeKeyAndOrderFront:nil];
and draw in MyView
code-block
- (void)drawRect:(NSRect)dirtyRect
{
NSRect screen = [self bounds];
int SW = screen.size.width;
int SH = screen.size.height;
[[NSColor clearColor] set];
NSRectFill(screen);
NSString * strH= @"watermark test.";
NSMutableDictionary *md = [NSMutableDictionary dictionary];
[md setObject:[NSFont fontWithName:@"Times" size:80] forKey:NSFontAttributeName];
[strH drawAtPoint:NSMakePoint(SH*0.5, SH*0.5) withAttributes:md];
[self setNeedsDisplay:YES];
}
I've implemented a custom VPN for macOS (system extension, Packet Tunnel Provider).
I've configured disconnectOnSleep = false, and at the Provider I've implemented the sleep() and wake() functions.
At the wake() func, I'm trying to re-establish the connection, and most of the time it's working well.
However, there are times when even after wake() is called, it seems that the interfaces aren't ready/available, and I'm getting "Network is unreachable" errors (I'm working with BSD Sockets).
Any idea why the interfaces aren't available at this point, after wake() had been called?
Any idea on how to be updated when the interfaces are available?
We are working on a Network Extension based iOS app.
Is it possible to have an app proxy (for per-app VPN) and packet tunnel providers within the same extension binary on iOS? On Mac this seems to be allowed, but with iOS it looks like we have to separate binaries - one per provider. In our case this complicates things.
When network extension is installed, the tethering breaks.
So our customers faced a very big problem.
Give me some feedback.
The test steps are as follows.
1.Test Info.
os : higher than 12.1
hardware : only MacBookPro18, 1~3
and, only Tethering(IPv6).
It does not happen in IPv4.
It works normally in a different environment.
2.Test Step
1)We always allowed Ne's authority request in the same way.
2)After NE is installed, press Allow network filtering.
3)Our NE calls the API below(in main method)
[NEFilterPacketProvider startSystemExtensionMode];
4)However, the following error message occurs.
error 16:10:37.791557+0900 com. ahnlab. TobeyNE [self.extensionContext conformsToProtocol:auxHostProtocol.protocol] - /AppleInternal/Library/BuildRoots/66382bca-8bca-11ec-aade-6613bcf0e2ee/Library/Caches/com.apple.xbs/Sources/ExtensionFoundation/ExtensionFoundation/Source/NSExtension/NSExtensionSupport/EXExtensionContext.m:332: Class NEFilterPacketExtensionProviderContext does not conform to aux host protocol: <private>
5)and, the tethering breaks.
Also, it works normally unless it is MacBookPro18, 1.
There is this issue only in MacBookPro18, 1.
Tell me the solution.
Hi
We are building an macOS application which integrates VPN functions right now. We are using developer ID ceritifcate to sign the app and system network extension and sandbox is enabled.
One issue we are facing now is that we need to establish mTLS connection to server. During this connection, we need to send client certificate to server via provideIdentity() API.
We have the certificate, key and p12 file which are generated in another daemon. But we can not use SecPkcs12Import function to import the p12 file in our system extension due to the sandbox limitation and the different context.
I know that we cannot construct secIdentity object by ourselves. So I am wondering if there is any way that we can get the secIdentity object in system extension?
Is it possible to send secIdentity object between app and system extension?
Hi.
Our NWListener runs fine and accepts connections successfully when it's run in a standalone app, however, the same code fails when moved into the System Extension code.
Specifically, we get the error: The operation couldn’t be completed. (Network.NWError error 0.)
...
let listener = try NWListener(using: params!)
listener.service = NWListener.Service(name: "service",
type: "_service._tcp")
listener.stateUpdateHandler = { newState in
switch newState {
case .ready:
if let port = listener.port {
self.receiveIncomingDataOnConnection()
}
case .failed(let error):
listener.cancel()
print("Listener - failed with %{public}@, restarting", error.localizedDescription)
// Getting the error ^
default:
break
}
}
...
We have checked that the App Sandbox permissions for inbound and outbound connections are set in the entitlements file.
At this point, we are stumped at what's limiting our listener when it's running in the extension.
Thanks!
Post not yet marked as solved
I have a requirement where I need to monitor writes/reads from arbitrary USB devices. Can I do it with USBDriverKit?
I added a Camera Extension to my app, using the template in Xcode 13.3.1. codesign tells me that the app and its embedded system extension are correctly signed, their entitlements seem to be okay. But when I submit an activation request for the extension, it returns with this failure:
error: Error Domain=OSSystemExtensionErrorDomain Code=9 "(null)"
localized failure reason: (null)
localizedDescription: The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 9.)
localizedRecoverySuggestion: (null)
What could be the reason? code 9 appears to mean a "validation error", but how do I figure out what is invalid?
In reference to this related question: forum question 678260
I have an application that is codesigned and notarized to install a VPN extension using the NextworkExtension plugin. It works great in Xcode in debug.
In release builds that are notarized the network extension is rejected when I try to load it. The only way we were able to get the extension to load is by going through the system extension API.
**Quinn, is it possible to distribute Developer ID-signed apps that install NetworkExtension components outside the App Store without having to use System Extension?
**
The 4 UIs that the user has to jump through to allow System Extensions is going to be a huge problem for non-technical user base.
CONSOLE output when installed from a notarized pkg:
NEVPNTunnelPlugin(com.foo.bar[inactive]): Validation of the extension failed
and
Provider com.foo.bar validation failed: Error Domain=NEFilterErrorDomain Code=1 "(null)"
Post not yet marked as solved
I've implemented a custom VPN system extension for macOS (Packet Tunnel Provider).
I created a tunnel, and I have a VPN connection, with the default (IPv4) routes.
My question is about sending traffic which was originated at the extension, via the tunnel.
Is it possible to create a BSD socket at the extension, and bind it to a specific interface, so the traffic (that was created from the extension) for this socket will be routed via the tunnel?
Post not yet marked as solved
I have an app which is installing a system extension. On startup I want to know if it's already been installed or not (because if it hasn't I want to show some information to the user).
I have not been able to find an ObjC or Swift method that allows me to ask if a given extension has been installed.
I know I can run systemextensionctl list and parse the output but I don't want to have to fork a shell command if I don't have to.
Post not yet marked as solved
We have a macOS app that contains a system extension content filter as part of the app bundle. The main container app is a relatively simple process to perform activation and deactivation of the content filter.
From guidance given on this forum, our container app has a GUI component (AppDelegate) which on launch activates the content filter if needed, e.g. on initial install or update. This works as intended, provided the user is logged in.
However, we would normally expect the install/update/removal to be performed by remote management, e.g. pushed by JAMF, which often happen when no user was logged in on the device. Note, we have a MDM profile which provides pre-authorization of the system extension and content filter to negate the requirement for the user to respond to prompts during install.
Trying to perform a remote install or removal, requires calling the main container app to run without a logged in user which fails because the app terminates as there is no GUI context to run in.
Trying a container app without a GUI component appears to be unreliable and often hangs during content filter activation.
What is the correct way to perform installation or removal, without a user login, via remote management?
Post not yet marked as solved
This is on an M1 MacBook Pro running 11.1b1.
I installed an Extension from Rogue Amoeba to support their App Suite. Boot into recovery to set system policy to allow user permission of extensions
Reboot and install extension
Allow Extension in Preferences > Security panel
Allow rebuild and restart.
It comes up with an endless loop of failure due to an Extension from Apple Inc. !
The Rogue Amoeba extension loads fine.
Any ideas?
Post not yet marked as solved
Hi,
I'm looking for a developer to update a currently Intel-only legacy kext into a system extension so it works on M1 / ARM / Apple Silicon.
Here's the problem:
I'm a heavy user of a legacy software named ControllerMate. Unfortunately, it has been abandoned by the developer and he didn't make it open-source. The latest update was in late 2018 and the developer has stopped responding entirely and can not be reached, even to previous beta-testers. Confirmed by several power users who tried over the years.
The app basically allows creation of macros and cascades and is extremely powerful. It's used by many people in the video post production and music production space in their professional workflows, and people built individual workflows around this over the years to work faster and more efficiently.
Since it hasn't been updated, people are somewhat stuck and can't upgrade without breaking their workflows. Especially now with the new and powerful M1s, this becomes much more urgent and relevant again.
The kext might have to be reverse engineered or hacked - I know, not something people in an Apple developer forum wanna hear, but we're desperate to find somebody for this and keep this going.
I truly appreciate any input, insights and leads!
Thank you!
Post not yet marked as solved
I've implemented a custom system-extension VPN (Packet Tunnel Provider) for macOS.
At the extension, I need to use a 3rd party dynamic lib.
The steps I did:
Build phases:
Copy files, with Frameworks destination
Link Binary With Libraries
Build Settings:
I set 'Dynamic Library Install Name', 'Dynamic Library Install Name Base', and 'Library Search Path' to the lib folder
I set 'Header Search Path' to the headers folder
But when running the extension, it's crashing with the error
Termination Reason: Namespace DYLD, Code 1 Library missing
Library not loaded: @loader_path/somelib.dylib
And
Reason: tried: '/Library/SystemExtensions/A1111-someID-11111/com.myapp.myappSysExtension.systemextension/Contents/MacOS/libwavmodapi.dylib' (no such file), '/usr/local/lib/libwavmodapi.dylib' (no such file), '/usr/lib/libwavmodapi.dylib' (no such file)
(terminated at launch; ignore backtrace)
Any idea what I'm doing wrong here?
Also, is it even possible to use dynamic libs from a sys-ext?
Post not yet marked as solved
I manage a system that automatically generates system extensions, and in order to ensure that every release's dext can be activated over top of any other release, I have it increment the dext's CFBundleVersion so that every release has a unique version number.
However I just hit an error where, once CFBundleVersion reached 10000, dext activation would fail with this error:
Property "CFBundleVersion" must be a valid kext version
Apparently the maximum value any one of the three digits can be for CFBundleVersion is 9999, at least for a dext. So if CFBundleVersion only uses one number as opposed to three, it can't go higher than 9999.
Note that I found this out from experimentation. No where in Apple's documentation have I found any mention of this restriction, including, most distressingly, in the docs for CFBundleVersion.
Since I'm programmatically assigning this value, now I need to know: Are there any other requirements or restrictions for CFBundleVersion?
I'm curious if there are any in the context of an app (be it on macOS, iOS, tvOS, and so on) or other types of extensions, as well as with a DriverKit extension.
MeirS.
