NEExtension - From App Extension to System Extension

I'm planning to covert my Network Extension to a System Extension (custom VPN, Packet Tunnel Provider, macOS).
I have some questions regarding this process:

  1. I'm using keychain groups, so I would be able to get the user's password from the keychain both from app and from the Extension, is it possible to do also with a system extension?

  2. A similar question, but this time for a certificate - I have the entitlement for managed.vpn.shared - is it possible to use also from the system extension, and get the certificate for the VPN?

  3. I'm passing data between the containing app and the extension via 'App Groups' ("shared" user defaults). Can I do the same for the system extension?


Up vote post of roee84 Down vote post of roee84
693 views
Posted by
roee84
Reply
Add a Comment

Replies

I'm using keychain groups, so I would be able to get the user's password from the keychain both from app and from the Extension, is it possible to do also with a system extension?
I'm passing data between the containing app and the extension via 'App Groups' ("shared" user defaults). Can I do the same for the system extension?

System Extensions do not run with the same permission as a container app or an app extension. Therefore when you access an App Group or Keychain Group in this context you are accessing a different container than the container app or app extension is.

A similar question, but this time for a certificate - I have the entitlement for managed.vpn.shared - is it possible to use also from the system extension, and get the certificate for the VPN?

Unsure; It depends on where the profile ingestion process puts the keychain item on whether this will work or not. To know for sure, I would attempt to spin up a test.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Post not yet marked as solved Up vote reply of meaton Down vote reply of meaton
Add a Comment
Thanks Matt!

Regarding "Therefore when you access an App Group or Keychain Group in this context you are accessing a different container than the container app or app extension is."
So that means I can't save something at the userDefaults and read it at the App Extension.
Is there any way that some info can be saved at the containing app, and the system extension will have access to this information?
(not a message between the app and the sys extension, but a write at the app, and read at a later stage at the extension)
Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment

Is there any way that some info can be saved at the containing app, and the system extension will have access to this information?
(not a message between the app and the sys extension, but a write at the app, and read at a later stage at the extension)

You could conceivably try using a system daemon to handle writes and reads, but this is a lot of overhead, and possibly headaches, if you are only talking about small amounts of data. Probably a more suitable workflow would be to save data in the container app as usual and then send over the data to the provider with sendProviderMessage and receive with handleAppMessage.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Post not yet marked as solved Up vote reply of meaton Down vote reply of meaton
Add a Comment
Got it, thanks!
So the only remaining question is about managed.vpn.shared
Posted by
roee84
Up vote reply of roee84 Down vote reply of roee84
Add a Comment