I have requested an Endpoint Security entitlement through this form:https://developer.apple.com/contact/request/system-extension/How can I see that my request is done?How can I check that I am able to use this entitlement?Is it should be listed in my App ID Configuration Capabilities?
I am playing with endpoint security. I trying to implement block/allow user to read/write files on a USB media drive. I made my ep utility as launchctl daemon. I found that some applications couldn't start until I mute those processes for ep_client.
Moreover, some system processes couldn't start until I mute messages from them. And even more, if my utility autoruns on system start, the clock on the top right corner of the screen may be absent. The Terminal app couldn't restore its state, it hangs on start.
Actually, I came to that, my EP daemon should listen to very few processes. Those processes that can read/write files on USB media, and do it by user request. Or under user control.
When KAUTH was not deprecated, I did it right in the kernel extension: if the vnode path is NOT on a removable drive, return DEFER at the beginning of callback.
My question is:
What processes are pure system?
What system processes can read/write files for user or under user control?
Does, for example, /usr/libexec/nsurlsessiond can download a file for user to the USB media?
Post not yet marked as solved
seeing this error when I am trying to install my network extension:
_macvnodechecksignature: /Applications/abc.app/Contents/MacOS/abc: code signature validation failed fatally: When validating /Applications/abc.app/Contents/MacOS/abc:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:__
I have set the right entitlements as far as I know . is this error about entitlements or signature that is not obvious from the message .
this is sseen on Catalina 10.15.6
the macOS Network extension is Developer ID signed .
still facing this error . any idea what will fix this error ??
Post not yet marked as solved
Hi All,
I am trying to do a small POC using network extension's content filter capability. It is just a simple application for listening to all inbound connections on a particular port. I am able to build the application using Xcode. Through the main application i am able to install the network extension as system extension and I am able to view the installed extension in systemextensionctl list.
The problem is the I am not able to do anything after that , I don't think the extension is actually running. I am not able to see any logs in system.log. Few logs were present from devices log which indicate that the extension is running. The last log was
Request to activate com.sample.xyz.NetworkExtension succeeded (0).
Adding event subscription 930 for provider com.sample.xyz.NetworkExtension with extension point com.apple.networkextension.filter-data
I gave some debug logs and none of them were printed.
I have all entitlements in my provisional profile and if there was any code signing issue I guess it would have been present in system.log (atleast I assume)
Thanks in advance.
Post not yet marked as solved
I am working on OpenVPN application for Mac OS. I use openVPNAdapter to do this. Version for Mac OS store with apex works well. But we need a Developer ID signing version. To do this I created NE system extension (appex was removed from the project), changed packet-tunnel-provider with packet-tunnel-provider-systemextension, reuse the same PacketTunnelProvider code and the same openVPNAdapter (framework was embedded into the extension). Run system extension via OSSystemExtensionRequest (copied logic from SempleFirewall apple example), makes a build, and notarized it.
When I run the app, I see that SeystemExtension is running (activity monitor), PacketTunnelProvider successfully connects to the VPN server (logs and “connected” status in the macOS SystemPreferences), but traffic is locked. I can’t open any websites. First I thought that the problem with DNS, but I can't open any sites via IP too. So I think Mac OS locks socket traffic.
Maybe somebody has such an issue and knows how to resolve it.
MacOS: 11.4
Post not yet marked as solved
Hello,
I'm keeping on getting a failure when trying to install an App from Samsung Dex. The report says to "disconnect your phone to install" but NO phone is connected. I tried various command line and numerous troubleshooting to reset and refresh some KEXT but still issue exists.
Here is the install.log below.
What could be the work around this bug?
How to reset and proceed with installation?
Thank you
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 16.0px 'Helvetica Neue'; color: #262626; -webkit-text-stroke: #262626; background-color: #ffffff}
span.s1 {font-kerning: none}
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: @(#)PROGRAM:Install PROJECT:Install-1000
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: @(#)PROGRAM:Installer PROJECT:Installer-1020
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Hardware: iMac18,2 @ 3.00 GHz (x 4), 32768 MB RAM
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Running OS Build: macOS 11.4 (20F71)
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: USER=KP
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: __CFBundleIdentifier=com.apple.installer
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: COMMAND_MODE=unix2003
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: LOGNAME=KP
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: PATH=/usr/bin:/bin:/usr/sbin:/sbin
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: SSH_AUTH_SOCK=/private/tmp/com.apple.launchd.LsIZhGSQv0/Listeners
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: SHELL=/bin/zsh
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: HOME=/Users/KP
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: __CF_USER_TEXT_ENCODING=0x1F5:0x0:0x0
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: TMPDIR=/var/folders/d_/hqzchb455m9ct55v66n3n2_w0000gn/T/
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: XPC_SERVICE_NAME=application.com.apple.installer.1152921500312163432.1152921500312163437
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Env: XPC_FLAGS=0x0
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Samsung DeX Installation Log
2021-07-08 19:33:08-04 KPs-iMac Installer[9137]: Opened from: /Volumes/Samsung DeX/Install Samsung DeX.pkg
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: <background_scaling> has an unsupported MIME type: X-NSObject/NSNumber
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: <background_alignment> has an unsupported MIME type: X-NSObject/NSNumber
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Package Authoring Error: has an unsupported MIME type: X-NSObject/NSNumber
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Failed to load specified background image
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Product archive /Volumes/Samsung DeX/Install Samsung DeX.pkg trustLevel=350
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: External component packages (2) trustLevel=350
2021-07-08 19:33:09-04 KPs-iMac Installer[9137]: Could not load resource readme: (null)
2021-07-08 19:33:16-04 KPs-iMac Installer[9137]: Installation checks failed.
2021-07-08 19:33:16-04 KPs-iMac Installer[9137]: Installation check failure. . Disconnect your phone to install..
In another question on this forum (https://developer.apple.com/forums/thread/124775) eskimo stated that launching a system extension from an daemon is not the right approach and that the OSSystemExtensionRequest.activationRequest API should be called from an App.
My question is, does this same restriction apply to a LaunchAgent started App?
If so, to ensure activation as soon as possible is the only option to use a SMLoginItemSetEnabled helper to start the App on login?
Post marked as Apple Recommended
I built an app which hosts a CMIOExtension. The app works, and it can activate the extension. The extension loads in e.g. Photo Booth and shows the expected video (a white horizontal line which moves down the picture).
I have a couple of questions about this though.
The sample Camera Extension is built with a CMIOExtension dictionary with just one entry, CMIOExtensionMachServiceName which is $(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)
This Mach service name won't work though. When attempting to activate the extension, sysextd says that the extensions has an invalid mach service name or is not signed, the value must be prefixed with one of the App Groups in the entitlement.
So in order to get the sample extension to activate from my app, I have to change its CMIOExtensionMachServiceName to
<my team ID>.com.mycompany.my-app-group.<myextensionname>
Is this to be expected?
The template CMIOExtension generates its own video using a timer. My app is intended to capture video from a source, filter that video, then feed it to the CMIOExtension, somehow. The template creates an app group called "$(TeamIdentifierPrefix)com.example.app-group", which suggests that it might be possible to use XPC to send frames from the app to the extension.
However, I've been unable to do so. I've used
NSXPCConnection * connection = [[NSXPCConnection alloc] initWithMachServiceName:, using the CMIOExtensionMachServiceName with no options and with the NSXPCConnectionPrivileged option. I've tried NSXPCConnection * connection = [[NSXPCConnection alloc] initWithServiceName: using the extension's bundle identifier. In all cases when I send the first message I get an error in the remote object proxy's handler:
Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named <whatever name I try> was invalidated: failed at lookup with error 3 - No such process."
According to the "Daemons and Services Programming Guide" an XPC service should have a CFBundlePackageType of XPC!, but a CMIOExtension is of type SYSX. It can't be both.
Does the CMIOExtension loading apparatus cook up a synthetic name for the XPC service, and if so, what is it? If none, how is one expected to get pixel buffers into the camera extension?
Post not yet marked as solved
Hi!
I'm trying to move from CoreMedio I/O DAL Plug-In to CoreMedia I/O camera extensions, announced in macOS 12.3.
I created a test extension, placed it inside my app bundle into Contents/Library/SystemExtensions and signed with codesigning certificate. But when I try to install my extension from inside my app, using this code (Swift):
func requestActivation() {
guard case .idle = status
else { fatalError("Invalid state") }
print("Requesting activation of extension \"\(extensionIdentifier)\"")
let req = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: extensionIdentifier, queue: DispatchQueue.main)
req.delegate = self
OSSystemExtensionManager.shared.submitRequest(req)
status = .requested
}
I'm getting an error:
OSSystemExtensionErrorDomain error 8: Code Signature Invalid
which is rather generic. Can anybody tell me what I am doing wrong? Or at least propose some steps to find it out?
I'm posting here entitlements and codesign output for my extension and containing application for further information.
kdg@admins-Mac-mini SystemExtensions % codesign -d --entitlements - ./com.visicom.VirtualCamera.avextension.systemextension
Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension
[Dict]
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 6SUWV7QQBJ.com.visicom.VirtualCamera
kdg@admins-Mac-mini /Applications % codesign -d --entitlements - ./VirtualCamera.app
Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera
[Dict]
[Key] com.apple.developer.system-extension.install
[Value]
[Bool] true
[Key] com.apple.security.app-sandbox
[Value]
[Bool] true
[Key] com.apple.security.application-groups
[Value]
[Array]
[String] 6SUWV7QQBJ.com.visicom.VirtualCamera
[Key] com.apple.security.files.user-selected.read-only
[Value]
[Bool] true
kdg@admins-Mac-mini SystemExtensions % codesign -dvvv ./com.visicom.VirtualCamera.avextension.systemextension
Executable=/Applications/VirtualCamera.app/Contents/Library/SystemExtensions/com.visicom.VirtualCamera.avextension.systemextension/Contents/MacOS/com.visicom.VirtualCamera.avextension
Identifier=com.visicom.VirtualCamera.avextension
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1553 flags=0x10700(hard,kill,expires,runtime) hashes=37+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=25bd80657bfd6e0ab95467146c7b532817e9e520
CandidateCDHashFull sha256=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8
Hash choices=sha256
CMSDigest=25bd80657bfd6e0ab95467146c7b532817e9e5209fd50b0cb7ceef40dcfb40e8
CMSDigestType=2
CDHash=25bd80657bfd6e0ab95467146c7b532817e9e520
Signature size=9006
Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=7 Jul 2022, 21:49:32
Info.plist entries=23
TeamIdentifier=6SUWV7QQBJ
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=0
Internal requirements count=1 size=200
kdg@admins-Mac-mini /Applications % codesign -dvvv ./VirtualCamera.app
Executable=/Applications/VirtualCamera.app/Contents/MacOS/VirtualCamera
Identifier=com.visicom.VirtualCamera
Format=app bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1989 flags=0x10700(hard,kill,expires,runtime) hashes=51+7 location=embedded
Hash type=sha256 size=32
CandidateCDHash sha256=31e15fbbd436a67a20c5b58c597d8a4796a67720
CandidateCDHashFull sha256=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b
Hash choices=sha256
CMSDigest=31e15fbbd436a67a20c5b58c597d8a4796a6772020308fb69f4ee80b4e32788b
CMSDigestType=2
CDHash=31e15fbbd436a67a20c5b58c597d8a4796a67720
Signature size=9006
Authority=Developer ID Application: Visicom Media Inc. (6SUWV7QQBJ)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=7 Jul 2022, 21:58:09
Info.plist entries=20
TeamIdentifier=6SUWV7QQBJ
Runtime Version=12.3.0
Sealed Resources version=2 rules=13 files=4
Internal requirements count=1 size=188
Thanks in advance!
Post not yet marked as solved
What happens when I try to run my app with the DNS proxy provider in network extension while another app with the same extension is already running? Will it throw an error?
Post not yet marked as solved
My application installs a system extension.
When I try to remove the app from the Applications folder (cmd + backspace) I get an error message:
"The operation can’t be completed right now because another operation is in progress, such as moving or copying an item or emptying the Bin."
According to systemextensionsctl the extension state is "terminating for uninstall but still running".
I can see an error in the console logs:
kernelmanagerd Failed to terminate dext com.my.driver-dk, error: Kernel request failed: (os/kern) invalid address (1)
sysextd a category delegate declined to terminate extension with identifier: com.my.driver-dk
sysextd failed to terminate extension with identifier: com.my.driver-dk: Optional(Error Domain=kernelmanagerd.KMError Code=38 "(null)")
Issue occurs with macOS 13 - works fine with macOS 12 and macOS 11
What is the problem here?
Have there been any changes in macOS in that regard?
I need to store auth keys somewhere, previously app network extension would store them in a shared keychain. Now we're trying to move to system extensions, for out of appstore distribution, and shared keychain will no longer work.
Is it possible to write to system keychain from system extension? If yes, how do I specify that I want to use system keychain?
Our current code returns errSecNotAvailable if run in System Extension instead of App Extension. The code looks like this. If uncommented, it will work from the App Extension.
NSString *teamID = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"Development Team"];
NSString *groupID = [[[NSBundle mainBundle] infoDictionary] objectForKey:@"App Group ID"];
NSMutableDictionary *query = [NSMutableDictionary dictionaryWithDictionary:@{
(id)kSecClass: (id)kSecClassGenericPassword,
// (id)kSecAttrAccessGroup: [NSString stringWithFormat:@"%@.%@", teamID, groupID],
(id)kSecAttrService: groupID,
// (id)kSecAttrAccessible: (id)kSecAttrAccessibleAfterFirstUnlockThisDeviceOnly
}];
[query setObject:(id)kCFBooleanTrue forKey:(id)kSecUseDataProtectionKeychain];
[query setObject:@(key) forKey:(id)kSecAttrAccount];
[query setObject:[NSData dataWithBytes:buffer length:length] forKey:(id)kSecValueData];
SecItemAdd(cfQuery, NULL);
Post not yet marked as solved
Hello!
After submitting two OSSystemExtensionRequest (let's say Endpoint and Network extensions), when the user allows only one (endpoint) extension, we receive request: didFinishWithResult callback for both manager delegates. This leads us to falsely believe that both our extensions are allowed.
We tried to prevent this by using propertiesRequestForExtension where our (network) delegate will ask for properties, check if the given extension is enabled and then finish if it's ok. If it's not enabled, however, we receive no second callback when the user allows the other extension.
We thought that we would need to submit another OSSystemExtensionRequest for the extension that wasn't allowed to receive a callback when it finally is. However, the second and all other consecutive requests immediately finish and we receive request: didFinishWithResult even when the user does not allow the second extension.
Example:
Endpoint and Network managers submit OSSystemExtensionRequest
User only allows Endpoint extension
Endpoint manager checks the properties, finds out it's enabled and finishes
Network manager checks the properties, finds out it's disabled
Network manager sends another OSSystemExtensionRequest
Network manager immediately receives request: didFinishWithResult
Network manager checks the properties, finds out it's disabled
....
This loop ends when the user finally allows the network extension, when the manager finds out that it's enabled. Is there something we are missing? Shouldn't another OSSystemExtensionRequest finish with requestNeedsUserApproval. How should we go about this issue?
Many thanks, Denis
Post not yet marked as solved
Hi,
I am experiencing following crashes intermittently in macOS network extension. Sometime in an hour or two or three. I don't see anywhere references to my project code hence i am unable to understand this crashes. Anyone please point me into right direction from here:
Crash Dumps
Samples:
Process: com.skyhighsecurity.epclient.networkextension [39224]
Path: /Library/SystemExtensions/*/com.skyhighsecurity.epclient.networkextension
Identifier: com.skyhighsecurity.epclient.networkextension
Version: 1.0 (1)
Code Type: ARM-64 (Native)
Parent Process: launchd [1]
User ID: 0
Date/Time: 2023-03-20 13:46:51.6991 +0530
OS Version: macOS 12.6.3 (21G419)
Report Version: 12
Anonymous UUID: 72617D4C-9E91-7141-D71D-9CB5BDADAA25
Sleep/Wake UUID: B462FD28-68B4-4B46-84EB-D16E29760748
Time Awake Since Boot: 32000 seconds
Time Since Wake: 5 seconds
System Integrity Protection: disabled
Crashed Thread: 3 Dispatch queue: NEFilterExtensionProviderContext queue
Exception Type: EXC_BREAKPOINT (SIGTRAP)
Exception Codes: 0x0000000000000001, 0x0000000182e26104
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace SIGNAL, Code 5 Trace/BPT trap: 5
Terminating Process: exc handler [39224]
Application Specific Information:
BUG IN CLIENT OF LIBPLATFORM: os_unfair_lock is corrupt
Abort Cause 1949042982
Thread 0:
0 libsystem_kernel.dylib 0x182dd5d70 __sigsuspend_nocancel + 8
1 libdispatch.dylib 0x182c5b5e0 _dispatch_sigsuspend + 48
2 libdispatch.dylib 0x182c5b5b0 _dispatch_sig_thread + 60
Thread 1:
0 libsystem_pthread.dylib 0x182e07078 start_wqthread + 0
Thread 2:
0 libsystem_pthread.dylib 0x182e07078 start_wqthread + 0
Thread 3 Crashed:: Dispatch queue: NEFilterExtensionProviderContext queue
0 libsystem_platform.dylib 0x182e26104 _os_unfair_lock_corruption_abort + 88
1 libsystem_platform.dylib 0x182e21184 _os_unfair_lock_lock_slow + 328
2 libsystem_pthread.dylib 0x182e07640 pthread_mutex_destroy + 64
3 Foundation 0x183d7ac18 -[_NSXPCConnectionClassCache dealloc] + 48
4 libobjc.A.dylib 0x182cb7c58 objc_object::sidetable_release(bool, bool) + 260
5 NetworkExtension 0x19148b798 -[NEFilterSocketFlow .cxx_destruct] + 40
6 libobjc.A.dylib 0x182c9d8e4 object_cxxDestructFromClass(objc_object*, objc_class*) + 116
7 libobjc.A.dylib 0x182c94b0c objc_destructInstance + 80
8 libobjc.A.dylib 0x182c94ab8 _objc_rootDealloc + 80
9 NetworkExtension 0x19148246c -[NEFilterDataExtensionProviderContext handleSocketSourceEventWithSocket:] + 132
10 libdispatch.dylib 0x182c481b4 _dispatch_client_callout + 20
11 libdispatch.dylib 0x182c4b670 _dispatch_continuation_pop + 500
12 libdispatch.dylib 0x182c5e8e0 _dispatch_source_invoke + 1596
13 libdispatch.dylib 0x182c4f784 _dispatch_lane_serial_drain + 376
14 libdispatch.dylib 0x182c50404 _dispatch_lane_invoke + 392
15 libdispatch.dylib 0x182c5ac98 _dispatch_workloop_worker_thread + 648
16 libsystem_pthread.dylib 0x182e08360 _pthread_wqthread + 288
17 libsystem_pthread.dylib 0x182e07080 start_wqthread + 8
Post not yet marked as solved
My customer installed two different apps on his Mac machine. These two apps are using ContentFilter extensions. One of the app is mine and another app is different vendor.
If my customer enabled both ContentFilter extensions then he fails to connect immediately to its required destination to allow it to run. If one of the ContentFilter extension is disabled then there is no issue.
Is it not possible to run two different ContentFilter extensions on same Mac machine? Is there any way to fix these type of issues?
Thank You
Nagendra R
Post not yet marked as solved
Perhaps this could be repetitive or basic question but I have implemented following code of NEDNSProxyProvider. My basic requirement is I want to process the flow but instead of using data from datagrams I want to use data received from our custom DNS server. After tons of articles documentation Im able to write following code. But it's failing continuously in writeDataGrams with "Invalid arguments data" and "The operation could not be completed because Flow not connected". I know somethings is wrong in processing the data but what is wrong Im not able to figure out. Also I want to know is this even possible to achieve this by using API call inside datagrams for loop and then send data to writedatagrams?
After getting JSONResponse Im using third party library to convert query form JSONData binary before sending it to writeDataGrams.
https://github.com/Bouke/DNS
override func handleNewFlow(_ flow: NEAppProxyFlow) -> Bool {
NSLog("DNSProxyProvider: handleFlow")
var handled: Bool = false
if #available(iOSApplicationExtension 14.2, *) {
hostName = flow.remoteHostname!
}
if let udpFlow = flow as? NEAppProxyUDPFlow {
udpFlow.open(withLocalEndpoint: udpFlow.localEndpoint as? NWHostEndpoint) { error in
if error == nil {
self.flowOut(flow as! NEAppProxyUDPFlow)
} else {
NSLog("Error in opening Flow")
}
}
handled = true
} else {
handled = false
NSLog("Unsupported Flow")
}
return handled
}
/*
Read From flow, then write to remote endpoint.
*/
private func flowOut(_ flow: NEAppProxyUDPFlow) {
flow.readDatagrams(completionHandler: { (datagrams, endpoints, error) in
self.proxyUDPFlow = flow
if error != nil {
NSLog("ERROR: 'readDatagramsWithCompletionHandler' failed with: \(String(describing: error?.localizedDescription))")
return
}
if datagrams?.count == 0 {
flow.closeReadWithError(error)
flow.closeWriteWithError(error)
return
}
guard let dataArray = datagrams else { return }
if #available(iOSApplicationExtension 14.2, *) {
for (index, data) in dataArray.enumerated() {
var hostEndPoint: NWHostEndpoint = endpoints?[index] as! NWHostEndpoint
hostEndPoint = NWHostEndpoint(hostname: hostEndPoint.hostname, port: hostEndPoint.port)
guard let hostname = flow.remoteHostname else { return }
let dNSRequest = self.configureDNSRequest(hostname)
let urlsession = URLSession.shared.dataTask(with: dNSRequest) { data, response, error in
if let data = data {
do {
let reply = try JSONDecoder().decode(JSONReply.self, from: data)
let requestQuery = Message(
type: .response,
questions: [
Question(name: reply.questions[0].name, type: .pointer)
])
let requestData = try requestQuery.serialize()
self.flowIn(responsdata: requestData, flow, endpoint: hostEndPoint)
} catch let error {
print("error \(error)")
}
}
}
urlsession.resume()
}
}
})
}
private func flowIn(responsdata: Data, _ flow: NEAppProxyUDPFlow, endpoint: NWHostEndpoint) {
let resultData = Data(responsdata)
flow.writeDatagrams([resultData], sentBy: [endpoint], completionHandler: { error in
// Flow not connected
if error != nil {
os_log("Error in resolving query \(error)")
self.logger.log("error => \(error)")
} else {
self.proxyUDPFlow?.closeReadWithError(error)
self.proxyUDPFlow?.closeWriteWithError(error)
}
})
}
private func configureDNSRequest(_ hostName: String) -> URLRequest {
var urlComponents = URLComponents()
urlComponents.scheme = "https"
urlComponents.host = “customserver.com"
urlComponents.path = “/resolverquery"
urlComponents.queryItems = [
URLQueryItem(name: "name", value: hostname),
URLQueryItem(name: "type", value: "A")
]
guard let url = urlComponents.url else { assert(false) }
var request = URLRequest(url: url)
request.httpMethod = "GET"
request.setValue(“xyzabcd”, forHTTPHeaderField: "Client-ID")
request.setValue("*/*", forHTTPHeaderField: "Accept")
request.setValue("keep-alive", forHTTPHeaderField: "Connection")
request.setValue("application/json", forHTTPHeaderField: "Content-Type")
return request
}
}
extension Data {
func object<T>(at index: Index = 0) -> T {
subdata(in: index..<self.index(index, offsetBy: MemoryLayout<T>.size))
.withUnsafeBytes { $0.load(as: T.self) }
}
}
I am trying to pause NEFilterFlow and then resuming NEFilterFlow from function **handleInboundData**
let goingToApply = someFunctionWithClosure { applied in
if applied {
let verdict: NEFilterNewFlowVerdict = .allow()
self.resumeFlow(flow, with: verdict)
}
}
if goingToApply == true {
return .pause()
}
The line self.resumeFlow(flow, with: verdict) crashing with following exception:
terminating with uncaught exception of type NSException
*** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[NEFilterNewFlowVerdict passBytes]: unrecognized selector sent to instance 0x10b8662a0'
Crash dump showing below logs:
Thread 3 Crashed:: Dispatch queue: NEFilterExtensionProviderContext queue
0 libsystem_kernel.dylib 0x1b7aa6d78 __pthread_kill + 8
1 libsystem_pthread.dylib 0x1b7adbee0 pthread_kill + 288
2 libsystem_c.dylib 0x1b7a16340 abort + 168
3 libc++abi.dylib 0x1b7a96b18 abort_message + 132
4 libc++abi.dylib 0x1b7a86a54 demangling_terminate_handler() + 336
5 libobjc.A.dylib 0x1b797c320 _objc_terminate() + 144
6 libc++abi.dylib 0x1b7a95eb4 std::__terminate(void (*)()) + 20
7 libc++abi.dylib 0x1b7a95e50 std::terminate() + 64
8 libdispatch.dylib 0x1b79181c8 _dispatch_client_callout + 40
9 libdispatch.dylib 0x1b791f8a8 _dispatch_lane_serial_drain + 668
10 libdispatch.dylib 0x1b7920404 _dispatch_lane_invoke + 392
11 libdispatch.dylib 0x1b792ac98 _dispatch_workloop_worker_thread + 648
12 libsystem_pthread.dylib 0x1b7ad8360 _pthread_wqthread + 288
13 libsystem_pthread.dylib 0x1b7ad7080 start_wqthread + 8
Why this exception is occurring for .allow() verdict only. For .drop() it is not crashing.
No where i'm calling passBytes method on NEFilterNewFlowVerdict
Post not yet marked as solved
Hi,
When trying to activate a PacketTunnelProvider Network Extension in X-code on MacOS 13.3.1 (a) I get the following system logs:
default 22:43:43.440691-0700 PacketTunnel Metal API Validation Enabled
error 22:43:43.571295-0700 kernel Sandbox: PacketTunnel(46998) deny(1) mach-lookup com.apple.sysextd
default 22:43:43.581295-0700 PacketTunnel ExtensionManager didFailWithError The operation couldn’t be completed. (OSSystemExtensionErrorDomain error 1.)
Here is the Delegate I'm using:
import Foundation
import SystemExtensions
import os.log
class ExtensionManager : NSObject, OSSystemExtensionRequestDelegate {
let identifier = "xx.xxxxxxx.PacketTunnel.PacketTunnelProvider"
static let shared = ExtensionManager()
static let log = OSLog(subsystem: "xx.xxxxxxx.PacketTunnel", category: "ExtensionManager")
private let log: OSLog
public override init() {
self.log = Self.log
os_log(.debug, log: self.log, "init")
super.init()
}
func activate() {
let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main)
activationRequest.delegate = self
OSSystemExtensionManager.shared.submitRequest(activationRequest)
}
func deactivate() {
let activationRequest = OSSystemExtensionRequest.deactivationRequest(forExtensionWithIdentifier: identifier, queue: .main)
activationRequest.delegate = self
OSSystemExtensionManager.shared.submitRequest(activationRequest)
}
func request(_ request: OSSystemExtensionRequest, actionForReplacingExtension existing: OSSystemExtensionProperties, withExtension replacement: OSSystemExtensionProperties) -> OSSystemExtensionRequest.ReplacementAction {
os_log("ExtensionManager actionForReplacingExtension %@ %@", existing, replacement)
return .replace
}
func requestNeedsUserApproval(_ request: OSSystemExtensionRequest) {
os_log("ExtensionManager requestNeedsUserApproval")
}
func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) {
os_log("ExtensionManager didFinishWithResult %@", result.rawValue)
}
func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error) {
os_log("ExtensionManager didFailWithError %@", error.localizedDescription)
}
}
And I'm running it via a basic View:
import SwiftUI
let minWidth: CGFloat = 180
let minHeight: CGFloat = 400
struct ContentView: View {
var body: some View {
VStack {
Button(action: ExtensionManager.shared.activate) {
Text("Activate")
}
Button(action: ExtensionManager.shared.deactivate) {
Text("Deactivate")
}
Button(action: TunnelConfigurationService.shared.configure) {
Text("Configure")
}
Button(action: TunnelConfigurationService.shared.start) {
Text("Start")
}
}
.padding()
.frame(minWidth: minWidth, maxWidth: .infinity, minHeight: minHeight, maxHeight: .infinity)
}
}
struct ContentView_Previews: PreviewProvider {
static var previews: some View {
ContentView()
}
}
Any Ideas how to debug this further? I'm not sure how to proceed.
Cheers
Before:
We had an app with app extension. Both had user privilege. Both wrote file logs to FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: groupID) - /Users/myuser/Library/Group Containers/mygroupid/
Now:
We have to change app extension to system extension. Our previous logging approach broke, because system extension has root context. Result of FileManager.default.containerURL(forSecurityApplicationGroupIdentifier: groupID) for system extension is /private/var/root/Library/Group Containers/mygroupid/
They do not have privilege to write to each other's folder. We can open logs folder for the user, but now the app does not have privilege to open Finder window for root logs folder. Ideally we would write file in a single folder.
Question:
Please suggest where to write logs from user and root process. Maybe there is a different approach on how to store a few days worth of logs and being able to upload them to our backend, or display them to the user, upon request.
What is the difference between AppProxyProvider and TransparentProxyProvider?
I can see in documentation that NETransparentProxyProvider is derived from NEAppProxyProvider, but what was the need to add a new proxyprovider (NETransparentProxyProvider) when we already had NEAppProxyProvider?