Post not yet marked as solved
Platform: MacOS 12.0
I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store.
I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges.
So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension?
One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.
Post not yet marked as solved
Hi Team,
We are using NETransparentProxyProvider and have observed that AirDrop is not functioning.
I attempted to utilize protocolConfiguration in NETransparentProxyManager as mentioned below.
manager.protocolConfiguration?.excludeLocalNetworks = true;
but it did not work.
Could you please provide guidance on how to exclude local network traffic in NETransparentProxyProvider?
Post not yet marked as solved
I have a simple CLI app bundle that activates my system extension. When I sign it for development it works fine. However, once I sign it with my developer ID certificate for distribution, the network extension will not activate, getting stuck the activation request and completely killing any internet connectivity until I restart.
The only thing that I see is different is when I call systemextensionsctl list I get something like:
1 extension(s)
--- com.apple.system_extension.network_extension
enabled active teamID bundleID (version) name [state]
<TEAM_ID> com.company.networkExt (1.0/240116145656) - [validating by category]
* * <TEAM_ID> com.company.networkExt (1.0/240115061310) ProxyExtension [activated enabled]
Where the one specifying [validating by category] is the one that I'm trying to activate signed with the developer ID cert. The one that is [activated enabled] got there from a dev build.
The app was built and notarized and shows to be valid by any codesign -dv --verify --strict and spctl commands that I've found. The system extension is also valid according to codesign.
The entitlements are adjusted to use the -systemextension suffix to work with Developer ID certificates.
Is there another step required to make it work with a developer ID certificate?
Post not yet marked as solved
If I do these tasks on random order, CMIO CameraExtension go into unstable condition.
Copy MyApp.app under /Applications or /Applications/MyAppGroup/
Install by MyApp sending OSSystemExtensionRequest.activationRequest
Check install condition by command : "systemextensionsctl list"
uninstall by MyApp sending OSSystemExtensionRequest.deactivationRequest
Remove /Applications/MyAppGroup/ by command line and Finder
Remove /Applications/MyApp.app by command line and Finder
Kill MyApp.app during activationRequest.
Once my CMIO CameraExtension go into unstable condition, it is impossible to remove on normal way.
"systemextensionsctl list" shows my extension is activated.
Remove by API failed with code=4.
Removing file of MyApp.app does not remove CameraExtension
Only way to remove CameraExtension is "Boot macOS as recovery mode", disable SIP, "systemextensionsctl uninstall"
Audio HAL extension is file based and ATOMIC. I can check file existence by "ls" command and remove by "rm -rf" command. I never met unstable condition.
Post not yet marked as solved
When my macOS app try to deactivate CameraExtension, my app's didFailWithError is called with this error.
Error Domain=OSSystemExtensionErrorDomain Code=4 "(null)"
I cannot search for error code=4 with that domain.
MyApp calls OSSystemExtensionManager.shared.submitRequest with OSSystemExtensionRequest.deactivationRequest
I did implement these tasks.
BundleID, MyApp: com.myapp,
BundleID, CameraExtension: com.myapp.camera
Added entitlement and App Groups for app and extension
MyApp has SystemExtension capability on Xcode and provision
MyApp is installed on /Applications/MyAppGroup/MyApp.app
MyApp is executed by Finder
macOS is Sonoma 14.2.1 (23C71) on M1 MacBook
Post not yet marked as solved
Hi!
There are two fields in ES message: global_seq_num and seq_num, which are described as a continuous number sequence unless the kernel is "dropping events" because "kernel generated more events than the client could handle."
https://developer.apple.com/documentation/endpointsecurity/es_message_t/3684979-global_seq_num
https://developer.apple.com/documentation/endpointsecurity/es_message_t/3538607-seq_num
However, as we all know, system will kill ES client, if the message is not answered in (deadline) time.
I've a lot questions about this thing:
What the "drop" actually is? The event is not provided to es client from the kernel?
What does the "client could handle" means exactly? (I mean, es client will be already killed, if it can't respond to event in deadline)
Are the dropped events responded by the system immediately, or they do wait something?
Are only auth events could be dropped, or notify too?
What is the system resolution for dropped auth events? (allow I guess)
What I'm expected to do as a developer with these two fields - should I just log them and hope to find something out later, or can I react somehow during runtime if I met the break in *seq_num sequence?
I have a recurring problem with software updates by Apple killing all networking when I have a network system extension distributed by TestFlight installed on my Mac.
Any pointers on how to resolve this would be greatly appreciated!
I don't know if it is my network system extension, the fact that it is distributed via TestFlight, or something else.
The latest example is updating to macOS 14.2 today.
I think the relevant Console message is:
Code has restricted entitlements, but the validation of its code signature failed.
The full message for that console message is.
mac_vnode_check_signature: /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent: code signature validation failed fatally: When validating /Library/SystemExtensions/ACB1E368-5355-4959-9800-737ED2BE9EDC/com.xxxxxxxxxxxxxxxx.networkagent.systemextension/Contents/MacOS/com.xxxxxxxxxxxxxxxx.networkagent:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
Deleting the app (with its network system extension) immediately restores networking.
I can reinstall the exact same program via TestFlight, and everything runs fine.
The feedback ID (which includes additional details, a screenshot, and a video) is: FB13458972
Post not yet marked as solved
Hi Team,
We are registering Network Extension on application launch. The application shows this dialog [Dialog attached].
The failing case
User press OK and hence, dismissing the user approval
User click on Apps UI -> Register
Register call the same API again i.e.
let activationRequest = OSSystemExtensionRequest.activationRequest(forExtensionWithIdentifier: identifier, queue: .main)
4. This time, the dialog is not launched for the user. Whereas, we have observed, it does launch the dialog again on some of the machines.
5. User reboot the machine
6. Click App -> Register. Stil the same case, the dialog is not launched for user.
When I check the status using systemextensionsctl list
* [TeamId] com.company.extensionname (1.0.100/1.0.100) ExtensioName [activated waiting for user]
How can I force the launch of this dialog in API, so that, user can be guided to act upon it.
I have a system extension which contains 3 capabilities: App Proxy, Content Filter, Packet Tunnel.
System extension process doesn't auto stops on disabling all of its Capabilities: App Proxy, Content Filter, Packet Tunnel
How to make system extension process auto stop if all of its capabilities disabled?
Disable can happens via system extension hosting app or system preference network settings
I have following in mind:
Whenever we disables any capabilities via system extension hosting app, it can check if all others are disabled then
Use KILL bash command to terminate system extension process
System extension hosting app can send message via XPC to extension to terminate it self via NSApp.terminate
On disabling from system preference, ssystem extensions can check if all other disables in delegate method and terminate itself
I wanted to know what is better way to handle system extension process stop
I write an app to detect whether the specific system extension existed.
At the init() stage of the SwiftUI view, it will submit the request to get whether the specific system extension existed.
OSSystemExtensionManager.shared.submitRequest(request)
and receive the request using
func request(_ request: OSSystemExtensionRequest, foundProperties properties: [OSSystemExtensionProperties])
then display the result.
However, submitting request is a asynchronous process, I will get the result Not Found before receiving the request.
Is there any way to wait for OSSystemExtensionManager.shared.submitRequest(request) until it finishes its request?
In another question on this forum (https://developer.apple.com/forums/thread/124775) eskimo stated that launching a system extension from an daemon is not the right approach and that the OSSystemExtensionRequest.activationRequest API should be called from an App.
My question is, does this same restriction apply to a LaunchAgent started App?
If so, to ensure activation as soon as possible is the only option to use a SMLoginItemSetEnabled helper to start the App on login?
Post not yet marked as solved
We've recently noticed frequent crashes on the macOS system after an OS update when using the system extension with NETransparentProxyProvider. Below are the crash logs that appear in a pop-up after the machine starts.
I'm having difficulty understanding the exact point at which it crashes, and it shows my process below.
Panicked task 0xfffffe2d0a36abf8: 8190 pages, 143 threads: pid 9134: com.xxxx.na Panicked thread: 0xfffffe236ea13010, backtrace: 0xfffffe67858d2b80, tid: 337348
Detailed logs attached.
system_cash_log.txt
Post not yet marked as solved
Hi Team,
I have a Network Extension application and UI frontend for it.
The UI frontend talks to the Network Extension using XPC, as provided by NEMachServiceName.
On M2 machine,
The application and XPC connection works fine on clean installation.
But, when the application is upgraded, the XPC connection keeps failing.
Upgrade steps:
PreInstall script kills the running processes, both UI and Network Extension
Let installation continue
PostInstall script to launch the application after installation complete.
Following code is successful to the point of resume from UI application
NSXPCInterface *exportedInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCUIObject)];
newConnection.exportedInterface = exportedInterface;
newConnection.exportedObject = delegate;
NSXPCInterface *remoteObjectInterface = [NSXPCInterface interfaceWithProtocol:@protocol(IPCExtObject)];
newConnection.remoteObjectInterface = remoteObjectInterface;
self.currentConnection = newConnection;
[newConnection resume];
But it fails to get the object
id<IPCExtObject> providerProxy = [self.currentConnection remoteObjectProxyWithErrorHandler:^(NSError *registerError) {
}];
Please note, this only fails for M2. For M1, this exact code is running fine.
Additionally, if I uninstall the application by dropping it in Trash and then installing the newer version, then too, the application works fine.
Post not yet marked as solved
Hi Team,
I'm currently using a system extension with NETransparentProxyProvider (with root privileges). I want to support custom DNS (specific to domains) with a search domain to accommodate a single-level domain support.
For this, I'm creating a new entry inside /etc/resolver/, using below command.
sudo sh -c 'echo "domain corp.test.com\nsearch corp.test.com\nnameserver 9.9.9.9\nnameserver 9.9.2.2" > /etc/resolver/corp.test.com'
The above command works fine for me when I execute it via the terminal, creating a new file inside the resolver as described below. So, when I access a single-label domain like https://test, it appends 'corp.test.com,' resulting in hitting the domain as https://test.corp.test.com. Furthermore, it selects either the DNS server 9.9.9.9 or 9.9.2.2.
File: /private/etc/resolver/corp.test.com
domain corp.test.com
search corp.test.com
nameserver 9.9.9.9
nameserver 9.9.2.2
File permission
total 8
-rw-r--r-- 1 root wheel 80 Dec 5 18:20 corp.test.com
scutil --dns
resolver #8
domain : corp.test.com
search domain[0] : corp.test.com
nameserver[0] : 9.9.9.9
nameserver[1] : 9.9.2.2
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
However, when I execute the same command within the extension using NSTask, it generates the new file but fails to work as per above.
it creates below file
File: /private/etc/resolver/corp.test.com
domain corp.test.com
search corp.test.com
nameserver 9.9.9.9
nameserver 9.9.2.2
File permission
total 8
-rw-r--r-- 1 root wheel 80 Dec 5 18:25 corp.test.com
scutil --dns
resolver #8
domain : corp.test.com
search domain[0] : corp.test.com
nameserver[0] : 9.9.9.9
nameserver[1] : 9.9.2.2
flags : Request A records, Request AAAA records
reach : 0x00000002 (Reachable)
I don't notice any difference in file permissions and in scutil --dns entry.
even we tried running sudo killall -HUP mDNSResponder to refresh its records.
Could you please suggest what might be the reason?
Post not yet marked as solved
Hey team,
We have a use case where we need to block all the MacOS network traffic except our app's network traffic.
But I don't find any apis from apple with that capability.
I see using NEFilterSettings, we can allow the required endpoints and block all the other endpoints we get from handleNewFlow(_ flow:. But this api has a control in endpoint level not the app level.
Could you suggest if we have any other apis for this use case? Thanks
Post not yet marked as solved
Hi,
I am writing a transparent proxy (using NETransparentProxyProvider) which could potentially multiplex thousands of flows.
When i've done this in the past on other platforms i've used libev or epoll - but NEAppProxyFlow (such as NEAppProxyTcpFlow) don't work with any of those approaches afaict, it doesn't even appear to work with swift-nio - what is the recommended way to multiplex thousands of flows?
I still intend to use swift-nio when i manage the real sockets (which proxy the flows), but how do i multiplex the NEAppProxyFlows themselves? Can someone suggest a highly scalable design? I'm new to this, and haven't found a good solution yet.
Thanks
Someone else may want to test this with their network system extension, but I found a nasty interaction with Apple's latest software update for Safari and my network system extension.
Summary: When I had my network system extension installed and updated to Safari 17.1.2, all networking was lost.
I first ran into this problem yesterday and documented in this thread. Today, I tried to pin it down on Ventura.
This test
Hardware: M1 Mac mini
OS: macOS Ventura 13.6.1 (downloaded from Mac App Store)
Safari version 16.6
Network system extension (mine)
When I updated to Safari Version 17.1.2, I lost all networking!
Furthermore, I could not uninstall my network extension. Deleting the app with the network system extension didn't help.
Fix 1:
Disabled SIP
Removed my network system extension (at which point networking worked fine again)
Reenabled SIP
Reinstalled my network system extension
Everything works fine.
Fix 2
I re-ran the experiment (same initial set up)
Hardware: M1 Mac mini
OS: macOS Ventura 13.6.1 (downloaded from Mac App Store)
Safari version 16.6
Network system extension (mine)
This time:
I removed my network system extension first
I updated to Safari 17.1.2 (this time no problems)
I reinstalled my network system extension
Everything works fine
Having the network system extension in place and then updating Safari to 17.1.2 broke things pretty badly for me.
Was there something I did wrong with my network system extension design?
Post not yet marked as solved
I got code of CMIO CameraExtension by Xcode target and it is running with FaceTime. I guess this kind of Extension has lots of security limitation.
I like to run command like "netstat" in Extension. Is that possible to call Process.run()? I got keep getting error like "The file zsh doesn’t exist". Same code with Process.run() worked in macOS app.
I like to run DistributedNotificationCenter and send text from App to CameraExtension. Is that possible? I do not receive any message on CameraExtension.
If there is any other IPC method between macOS app and CameraExtension, please let me know.
Post marked as Apple Recommended
I built an app which hosts a CMIOExtension. The app works, and it can activate the extension. The extension loads in e.g. Photo Booth and shows the expected video (a white horizontal line which moves down the picture).
I have a couple of questions about this though.
The sample Camera Extension is built with a CMIOExtension dictionary with just one entry, CMIOExtensionMachServiceName which is $(TeamIdentifierPrefix)$(PRODUCT_BUNDLE_IDENTIFIER)
This Mach service name won't work though. When attempting to activate the extension, sysextd says that the extensions has an invalid mach service name or is not signed, the value must be prefixed with one of the App Groups in the entitlement.
So in order to get the sample extension to activate from my app, I have to change its CMIOExtensionMachServiceName to
<my team ID>.com.mycompany.my-app-group.<myextensionname>
Is this to be expected?
The template CMIOExtension generates its own video using a timer. My app is intended to capture video from a source, filter that video, then feed it to the CMIOExtension, somehow. The template creates an app group called "$(TeamIdentifierPrefix)com.example.app-group", which suggests that it might be possible to use XPC to send frames from the app to the extension.
However, I've been unable to do so. I've used
NSXPCConnection * connection = [[NSXPCConnection alloc] initWithMachServiceName:, using the CMIOExtensionMachServiceName with no options and with the NSXPCConnectionPrivileged option. I've tried NSXPCConnection * connection = [[NSXPCConnection alloc] initWithServiceName: using the extension's bundle identifier. In all cases when I send the first message I get an error in the remote object proxy's handler:
Error Domain=NSCocoaErrorDomain Code=4099 "The connection to service named <whatever name I try> was invalidated: failed at lookup with error 3 - No such process."
According to the "Daemons and Services Programming Guide" an XPC service should have a CFBundlePackageType of XPC!, but a CMIOExtension is of type SYSX. It can't be both.
Does the CMIOExtension loading apparatus cook up a synthetic name for the XPC service, and if so, what is it? If none, how is one expected to get pixel buffers into the camera extension?
Post not yet marked as solved
Today, I applied the latest security patch to my Mac Studio, and on reboot, I had no networking. It appears to have been a system extension issue.
At one point, I needed to "Allow" Apple system software in System Settings. I found that strange.
I thought I'd document the issue and my resolution in case someone else runs into this.
(1) I did the usual - reboot, shutdown & restart, reboot my Eero mesh; changed from Wi-Fi to wired Ethernet. Nothing worked.
(2) I do have my own application that uses a network system extension, so I went through the system extension uninstall process (using the API). Still no joy.
I then tried to reinstall the network extensions, but that didn't seem to work. I was never prompted to open the System Settings app. I think the network system extension had not actually been removed.
I deleted the app (which should remove the network system extension). Still no joy.
Interestingly, launchctl still showed a crashed network system extension (no PID, status -9)
(3) I then disabled SIP, rebooted, and used systemextensionsctl to remove the network system extension.
While doing this, I discovered an old network system extension from several years ago tied to one of my old organizations and may have been built for Intel CPU. I deleted that too.
(If I had to guess, it might have been that old network system extension that caused the problem.)
Reenabled SIP
Rebooted.
(4) At some point I got an interesting alert from Apple about System Extension errors.
And when I opened System Settings, I had to allow an extension from Apple?!
(5) Networking is now working.
I reinstalled my application from TestFlight, installed the network system extension, and everything is still working.
(6) Summary
I lost networking after applying the security update.
Worried that it might be my program, I tried uninstalling the network system extension, but I could not cleanly uninstall and reinstall my network system extension as I've done many times before.
I found an old network system extension; deleted both network system extensions with SIP disabled.
I had to Allow Apple software.
Everything works (including my app with its network system extension installed).
I am not sure what the root cause was. My old network system extension? The fact I needed to Allow Apple software? My current app and its network system extension?