Post not yet marked as solved
I grabbed Apple's sample project, SimpleFirewall, here https://developer.apple.com/documentation/networkextension/filtering_network_traffic. The app builds and runs, but when I press the start button it tells me this in the console:2019-06-05 15:00:38.032893-0500 SimpleFirewall[32086:151724] System extension request failed: App containing System Extension to be activated must be in /Applications folderOk, fair enough. Weirdly, the INSTALL_PATH in build settings is pointed to /Applications, but okay, I'll grab the product and the extension and shove it in /Applications myself and worry about how to debug this later. When I try that, it has me open System Preferences to enable the system extension--progress! However, even after that, the Start button on the application, which is intended to start filtering incoming connections, briefly spins and goes back to the red/disabled state.Any tips on how to run this within Xcode and debug it are appreciated. I know it's early and the session doesn't even air until Friday, but there's only so many days left in the summer 🙂.Best,Mark
Hi All,Starting from the SimpleFirewall Apple Network Extension example I managed to create an app with an Endpoint Security extension.From the console I can see that the app is starting correctly and the System Extension is registered and loaded correctly by Sysextd:attempting to realize extension with identifier com.***.***.endpointBut then the system extensions fails with:System extension request failed: Invalid extension configuration in Info.plist and/or entitlementsThat is the same error I can see settings a breakpoint in: func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error)Note 1: My provisioning profile doesn't contain yet a com.apple.developer.endpoint-security.client (requested but not yet approved) but I removed it from the .entitlements file and added to the system extension info.plist, for development "should" be ok right?Note 2: Keeping the entitlement in the .entitlements file but not having it in the Provisioning Profile obviously causes an error:com.***.zuul: Unsatisfied entitlements: com.apple.developer.endpoint-security.clientWhat am I missing?I noticed that the SimpleFirewall has a special configuration in the info.plist<key>com.apple.developer.networking.networkextension</key>
<array>
<string>content-filter-provider</string>
</array>do I need to add something similar to the Endpoint Security?
Post marked as Apple Recommended
Hi,We have some questions about the EndpointSecurity Frameworks. 1. Whether the EndpointSecurity Client must be a system extension? We use the es-client entitlements making a develop provisonprofile with its EndpointSecurity-client capabilities. Then, build a simple app(no system extension) with EndpointSecurity.Framework and the provisonprofile. It works well on other machine which SIP is enabled. (Root permission & approved by TCC ) So, whether it means that we can distribute the EndpointSecurity-Client as a simple app(without system extension)?2. If we must package Endpoint Security as a system extension, and be contained in an app. Whether the containing app can be distributed in Mac App Store?
I had a weird case today when an endpoint system extension remained running even after I deleted the .app bundle.If I tried killing the process with "sudo kill -9 <pid>", the extension respawned.If I tried "sudo launchctl remove <name>", I was told I didn't have privilege.Searching my hard drive I found a copy of the system extension in /Macintosh HD/Library/System Extensions/...I rebooted into recovery mode, deleted the extension bundle, and restarted. Everything initially looked fine. The process did not come back.But then when I tried to re-build, re-package, re-install, and re-launch the application, the operating system complained that it could not find the system extension even though it was there in the .app bundle.The operating system seems to (A) create a cache/copy of the system extension bundle, and (my guess) (B) maintains a link to that cache location somewhere and tries to launch that cached system extension bundle.[my hacked solution was to rename the extension, including creating a new bundle ID and associated provisioning profile]Has anyone encountered a system extension that woud not die? Did you figure out how to kill it and clear out any caches of it?Thanks,
Post not yet marked as solved
Hi,When I try to activate multiple system extensions at the same time, the sheet shows "Placeholder Developer" rather than the name of the developer. Both system extensions have been signed with distribution provision profile and they will run without problem if I allow them in System Preferences - Security & Privacy.Is there anything I can do to change "Placeholder Developer" to show my name, or an issue to fix in next macOS release?I have tested on 10.15.3 (19D76) and 10.15.4 beta 4 (19E250c).PS: there should be a screenshot but I don't know how to post it.The dialog is System Preferences - Security & Privacy, General Tab.On the bottom a label shows "Some system software was blocked from loading." with a "Allow..." button on the right.After clicking the "Allow..." button, a sheet appears, titled "System software from following developers was blocked from loading."The list in sheet contains two identical items: "Placeholder Developer" with a checkbox on the left.
Post not yet marked as solved
If I install an app that includes a system extension I've noticed that when I remove this app the system extension remains.I'm removing the app with `pkgutil --forget [PKG_NAME]` and deleting dependencies.NOTE : I cannot disable SIP and have you to this remotely or via a script.BR
I have requested an Endpoint Security entitlement through this form:https://developer.apple.com/contact/request/system-extension/How can I see that my request is done?How can I check that I am able to use this entitlement?Is it should be listed in my App ID Configuration Capabilities?
I am trying to run a Network System Extension (Packet Tunnel) that is successfully running as MAS Network Extension, but I'm facing a problem that neither app nor sysex gets app-group entitlement. Probably because of that my sysex can't find keychain items saved by the app.taskgated-helper ConfigurationProfiles Unsatisfied entitlements: com.apple.security.application-groupsI have app-groups configured in xcode for both targets, but provisioning profiles doesn't include them even though I have them selected on app ID's.I'm also getting a bunch of Security errors and NetworkExtension for some reason reports "Signature check failed: invalid signature (code or signature have been modified)"default 17:34:48.935971+0300 sysextd sysextd Extension point confirmed that extension com.company.appAbc.PacketTunnel-OpenVPN is runnable.
default 17:34:58.929349+0300 AppAbc Security Adding securityd connection to pool, total now 3
default 17:35:06.957159+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature (null)
default 17:35:07.168468+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.192204+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.308162+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0xa032bdd71140be2af6788e2dc77930a115c17b25}
default 17:35:07.329977+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.330511+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.336086+0300 AppAbc NetworkExtension Saving configuration AppAbc with existing signature {length = 20, bytes = 0x45e64b4ed5b0a1ad6061e3ba5cc05dddd003cd52}
default 17:35:07.382735+0300 AppAbc NetworkExtension Received a com.apple.neconfigurationchanged notification with token 38
default 17:35:07.383265+0300 AppAbc NetworkExtension Successfully saved configuration AppAbc
default 17:35:07.518667+0300 taskgated-helper ConfigurationProfiles allowing entitlement(s) for com.company.appAbc.PacketTunnel-OpenVPN due to provisioning profile (isUPP: 1)
error 17:35:07.526352+0300 taskgated-helper ConfigurationProfiles com.company.appAbc.PacketTunnel-OpenVPN: Unsatisfied entitlements: com.apple.security.application-groups
error 17:35:07.526380+0300 taskgated-helper ConfigurationProfiles Disallowing: com.company.appAbc.PacketTunnel-OpenVPN
default 17:35:08.781878+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: root path for bundle "" of main executable ""
default 17:35:09.165083+0300 secinitd secinitd com.company.appAbc.PacketTunnel-OpenVPN[95856]: AppSandbox request successful
default 17:35:09.240267+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.251136+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.253611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.255763+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.259015+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.263010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.267611+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.270637+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.273530+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.277920+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.283042+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.291778+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.296948+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Adding securityd connection to pool, total now 1
default 17:35:09.296956+0300 com.company.appAbc.PacketTunnel-OpenVPN Security got event: Connection invalid
default 17:35:09.297116+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts.
default 17:35:09.297573+0300 com.company.appAbc.PacketTunnel-OpenVPN Security using system preferences
default 17:35:09.299722+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.303518+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.305860+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.308235+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.310523+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.314336+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.318363+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.320930+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.323378+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.325901+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.328656+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.332580+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.346565+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.352010+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.354244+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.356355+0300 com.company.appAbc.PacketTunnel-OpenVPN Security Failed to talk to secd after 4 attempts.
default 17:35:09.356903+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:09.360582+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:09.364850+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:09.368221+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
default 17:35:09.368253+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -67061
default 17:35:09.369765+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension Signature check failed: invalid signature (code or signature have been modified)
default 17:35:09.533751+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: Calling startTunnelWithOptions with options 0x7fb447a0c640
default 17:35:09.636368+0300 kernel Sandbox Sandbox: 7 duplicate reports for com.company.appA deny(1) file-write-data /private/var/db/mds/system/mds.lock
default 17:35:13.275423+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null)
default 17:35:13.298472+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to
{ ... }
default 17:35:13.760461+0300 com.company.appAbc.PacketTunnel-OpenVPN CoreFoundation Attempting to add source to main runloop, but the main thread has exited. This message will only log once. Break on _CFRunLoopError_MainThreadHasExited to debug.
default 17:35:14.230487+0300 com.company.appAbc.PacketTunnel-OpenVPN Security MacOS error: -25337
default 17:35:14.236639+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: 3 unknown error 3=3
default 17:35:14.244544+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:14.249541+0300 com.company.appAbc.PacketTunnel-OpenVPN Security CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
default 17:35:14.300451+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: provider set tunnel configuration to (null)
error 17:35:14.315789+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAOpenVPNPacketTunnelProvider.swift:304] openVPNAdapter(_:handleError:) > [OVPN] Did recieve fatal error:
Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.}
error 17:35:14.326776+0300 com.company.appAbc.PacketTunnel-OpenVPN CocoaLumberjack [Error] [openvpn-adapter.connection] [AAPacketTunnelProvider.swift:68] cancelTunnelWithError(_:) > Canceling tunnel due to the error:
Error Domain=me.ss-abramchuk.openvpn-adapter.error-domain Code=70 "Failed to establish connection with OpenVPN server" UserInfo={NSLocalizedDescription=Failed to establish connection with OpenVPN server, me.ss-abramchuk.openvpn-adapter.error-key.message=ClientState::attach() can only be called once per ClientState instantiation, me.ss-abramchuk.openvpn-adapter.error-key.fatal=true, NSLocalizedFailureReason=Unknown error.}
default 17:35:14.351120+0300 com.company.appAbc.PacketTunnel-OpenVPN NetworkExtension [Extension com.company.appAbc]: IPC detached
default 17:35:14.357134+0300 AppAbc NetworkExtension Last disconnect error for AppAbc changed from "none" to "Failed to establish connection with OpenVPN server"
Hello,We actually managed to get all of the code signing and entitlements with our Developer ID all aligned properly such that our NE system extension is installed, activated, and our packet tunnel provider is started and code is executed in the extension. So far so good!However, the outstanding problem that is tripping us up at the finish line is that we just can’t seem get the NE provider to read from a shared keychain. The main app is able to write a password type key to the keychain no problem (we can see it in the macOS Keychain app), but our extension reports a -25291 or -25300 depending upon what we are trying when trying to read in the value. The exact same keychain read/write implementation works fine in dev builds without using System Extensions, so I’m pretty sure there must be some specific configuration I am missing when it comes to keychain sharing with System Extensions.We've tried with App Sandbox on and off, and there is no difference.According to this doc a shared Keychain Access Group Entitlement configured in the main app and NE System Extension should be all that is required. This is what we are doing and I believe is why everything is working fine in builds without the system extension.We’ve tried all of the combinations of things I can think of, specifically mixing and matching various app group and keychain group identifiers, unfortunately all with the same result.I beleive we are possibly in bug territory, but given how precise Keychain configuration needs to be, I wanted to check with the community to see if anyone had run into this same issue and found a solution before I file a bug. Thanks!
Post not yet marked as solved
Hi guys,I have a firewall project, where I used SimpleFirewall as a template. I created the project from scratch and the firewall works, but during configuration of network filter, macOS shows popup"(null) Would Like to Filter Network Content"In SimpleFirewallSample this message shows"SimpleFirewall Would Like to Filter Network Content"Obviously name of the app is missing. I've done the following:* checked entitlements - setup correctly* nothing missing in Info.plist (Bundle Name, Bundle Dispaly Name, etc), filterManager.localizeDescription is set.* I went through dozens if not hundreds of build settings* I changed window title in the MainMenu.xib to precisely match App bundle name* I tried to set up filter configuration from App bundle instead of common framework I use (I thought perhaps NEFilterProviderConfiguration constructor or saveToPreferences() function perhaps checks which bundle calls it and then system checks code signing).* Tried localization for Base and EN* I verified that Filter config in System Preferences in Network uses name of our app and I checked that if I change filterManager.localizedDescription, it correctly changes in those system settings.* you name it - I have done itThe only clue I found in sysem log is this messagedefault15:22:56.895864+0200MyAppSaving configuration MyApp with existing signature (null)The only difference is that I implemented most of the firewall functionality in a framework, so that it could be reused and app bundle links to this framework. Currently I link against this framework from app bundle and system extension using "Embed & Sign". I cannot use other options, because in that case app cannot communicate with extension. Anyway I created clone of Apple's SimpleFirewall and modified it to use common framework with precise settings as in our project and that works correctly.Nothing appears to be working and I cannot get rid of "(nul)" in the popup message in our project.Does anybody know how from which source macOS popup loads this value?Thanks.Robert
Post not yet marked as solved
I want to prevent the root user from uninstall my EndpointSecurity System Extension.
I succeeded to deny this when he removes with Terminal command, by intercepting ES_EVENT_TYPE_AUTH_RENAME
and ES_EVENT_TYPE_AUTH_UNLINK
events and answering ES_AUTH_RESULT_DENY
for the Extension's application in /Applications folder.
However, when the user drag&drops the Extension's application to the Trash, he succeeds. More than that, it looks like I don't receive any event about it in the Extension.
Thanks.
Post not yet marked as solved
I have an app with System Extension, which I've notarized.
I've tried 2 cases : With Hardened runtime on System Extension.
Without Hardened runtime on System Extension.
Once I've notarized the App Bundle, I notarize the app package both of which succeeded successfully, and Stapled correctly.
When I try to run the App with SIP enabled, I get the following error :
Hardened Runtime relaxation entitlements disallowed on System Extensions
Post not yet marked as solved
I am developing EndpointSecurity on macOS 11.0 Beta 6.
What I want to do is, when EndpointSecurity is installed and running, replace it with a new version of EndpointSecurity.
Implemented in my EndpointSecurity bundle app
OSSystemExtensionReplacementActionReplace is returned inside Request:actionForReplacingExtension:withExtension: method.
I checked through NSLog that the Request:actionForReplacingExtension:withExtension: method is called normally.
However, if you check the console.app at this time, sysextd crashes.
And I checked with the systemextensionsctl list command.
A crash in sysextd did not replace the new version of EndpointSecurity.
I need your help.
sysextd crash logs - https://developer.apple.com/forums/content/attachment/dc54cc07-7a09-4645-ae02-b042405757c3
Also, I have posted the relevant content to the Feedback Assistant.
FB8622798
Of course, I also forwarded the information to the Technical Support Incident.
745704790
Post not yet marked as solved
So I'm having issues communicating with a endpoint security system extension via XPC. Both the application and the extension are signed, notarized, and members of the same group ID. I've confirmed that the extension is running with systemextensionsctl list and launchctl list. I've also confirmed that the xpc end is available with launchctl procinfo <extension_pid>. The mach service name is correct according to this post - https://developer.apple.com/forums/thread/118211?answerId=366391022#366391022 (TEAMID.bundleID.xpc). I also use the NSXPCConnection NSXPCConnection.Options.privileged
option when creating the connection. When I use connection.remoteObjectProxyWithErrorHandler
, I received an error "Couldn't communicate with a helper application". This error message is very vague and does not help me further troubleshoot. Are there any other logs that I should be looking at in the console app?
Post not yet marked as solved
This is on an M1 MacBook Pro running 11.1b1.
I installed an Extension from Rogue Amoeba to support their App Suite. Boot into recovery to set system policy to allow user permission of extensions
Reboot and install extension
Allow Extension in Preferences > Security panel
Allow rebuild and restart.
It comes up with an endless loop of failure due to an Extension from Apple Inc. !
The Rogue Amoeba extension loads fine.
Any ideas?
Post not yet marked as solved
Hi Experts,
I knew there is LSEnvironment for defining environment variables to be set before launching.
e.g.
<key>LSEnvironment</key>
<dict>
<key>PATH</key>
<string>/Users/flori/.rvm/gems/ruby-1.9.3-p362/bin:/Users/flori/.rvm/gems/ruby-1.9.3-p362@global/bin:/Users/flori/.rvm/rubies/ruby-1.9.3-p326/bin:/Users/flori/.rvm/bin:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:</string>
</dict>
How about system extension? Thanks a lot.
Post not yet marked as solved
We have a customer hitting OSSystemExtensionErrorDomain error 10 when attempting to load our system extension. We have tons of successful installations at this point, and this is the first time we've seen this particular error. The error text makes it sound similar to issues with approving the kexts of old:
An error code that indicates the system policy prohibits activating the system extension. And the unified log output further backs this up:
2021-01-04 13:23:59.863 Df sysextd[231:b19c7] Extension with teamID teamID("<redacted>"), identifier <redacted> is not in the list of allowed extensions.
2021-01-04 13:23:59.863 Df sysextd[231:b19c7] Activation decision for extension with teamID teamID("<redacted>"), identifier <redacted> is Deny
The customer says that they have never seen a prompt for this system extension and nothing is listed in security preferences for it. Is there anything that will help troubleshoot this or any file that might show if system extensions have been blanket-denied somehow on this system?
Hi there. I've been working for quite a while prototyping a Content Filter app. I started with the SimpleFirewall code as a base, slowly making changes to it, as my use case is fairly different from the sample code - an internet safety app for kids, not a firewall.
I've spent a long time figuring out some of the intricacies of filtering NEFilterFlow objects, and working out the (fairly difficult) IPC communication between the system extension and the containing app. I have the app in a state now where it is not ready for distribution in the app store, but is ready for validation on a select number of internal test machines.
And here I must confess my almost total ignorance of many of the complexities in this realm. I've never built a macOS app before, and I only have one iOS app in the app store, and that was a much simpler use case (built with React Native, no tricky system extension stuff, and I leveraged TestFlight for testing with that app). So, I fully believe I might be making some total noob mistake here. I can say I've poured over these forums for hours trying lots of things, and I'm really stumped, and would greatly appreciate some detailed help here. 🙏
The problem
Anyway, the problem I'm having is that when I try to get the app to run on another Mac, I can't successfully get the system extension to install. I'll describe the error (as best I can understand it) directly below, and then further down give more information as to how I'm preparing the test application, since the problem might lie there.
When I try to activate the system extension from the containing app on a test machine, the activation requests succeeds far enough to prompt me to grant permission to install the extension, and when granted, it pops up the purple "(Redacted) would like to filter internet content". When I click "allow", however, the system extension shows up orange in the Network pref pane, labeled "not running." Pouring over the console logs, these two seem to be the most likely to shed light:
(neagent) Failed to find a com.apple.networkextension.filter-data extension inside of app com.acmecorp.product
and:
(nesessionmanager) com.acmecorp.product[3656]: Tearing down XPC connection due to setup error: Error Domain=NEAgentErrorDomain Code=2 "(null)"
I've inspected the contents of the app, and the system extension is properly packaged with the app. I built the SimpleFirewall app and compared the packaged app directory, and the file structure seems basically identical -- the system extension executable definitely is there. I put in a bunch of os_logs during the filter activation lifecycle process, logging out the bundle main url of the system extension, and it all seems correct, and seems to be pointing to files on the filesystem that exist. Also, I do get this encouraging log during the failing activation process:
(sysext) Realizing target path: file:///Applications/MyApp.app/Contents/Library/SystemExtensions/com.acmecorp.product.systemextension/
Which has the correct file url, and seems to be indicating that the path to the extension was indeed found. But the extension just stays stuck orange, dead, no IPC communication succeeds, and I have to manually remove it from the Network prefs pane.
I've never had the problem building and running locally on the development machine from the derived data dir from Xcode.
How I'm testing
Since the problem might lie here, I'll describe how I'm getting the app over to the target test machine (which is a physical device, not a VM). Nothing super fancy -- I basically am just going to "Product" "Archive" from within Xcode and creating an .xcarchive file. I then "show package contents", zip up the app file, and send it to the target machine, where I install it in the /Applications dir.
I did spend a long time figuring out how to add the UUID of the target machine to the provisioning profile before I could even get the container app to load. But I got that figured out and (as described above) the container app loads perfectly, it's only the system extension activation request that fails.
So... Can anyone lend me a hand? Am I going about trying to test correctly? Should I be creating the test app package some other way? Or is my (admittedly crude) method OK, and is it likely the problem lies in how I'm archiving or how the build is setup? Can anyone shed any light on the error?
Am I wrong in thinking that if it builds and runs correctly from Xcode on the dev machine, and I drag the app bundle over to another machine, it should run there too, assuming the test machine is in the provisioning profile, which it is? (Both machines are running Catalina, btw).
Thanks in advance!
Post not yet marked as solved
Hi there!
There was a presentation of the SCSI support in DriverKit on 2020 WWDC: https://developer.apple.com/videos/play/wwdc2020/10210/
Currently, the Xcode 12.4 (latest) has nothing regarding SCSI in DriverKit folders.
Documentation says it is still in beta: https://developer.apple.com/documentation/scsicontrollerdriverkit
So I've downloaded xcode 12.5 beta, where the driverkit 20.4 beta resides (according to https://developer.apple.com/support/xcode/)
And what we have there? Just
Kernel.framework/Versions/A/Headers/DriverKit/IOReturn.h
65:#define sub_iokit_scsi err_sub(16)
And nothing more!
So, the question is: do we have any way to use SCSI devices now on BigSur? Could I develop something for it with DriverKit, or should I use kext-approach for now, and wait for SCSI DriverKit support to be released indeed?
My application contains a Content Filter Network System extension.
My VPN creates a null/loopback encapsulated tunnel in order to route the traffic to the vpn.
I've noticed that I get FilterSocketFlows through the FilterDataProvider but I never see any tunnel traffic appearing in the FilterPacketProvider.
How can the Packet provider be configured to filter tunnel traffic ?
Note : I have tried only registering a PacketProvider and still dont see any traffic. Is there any documentation of proper configuration ?
