I am deliberately using host-based virtual network to analyze potentially malicious binary, thus internet access is switched off. The cause is likely related to a previous post https://developer.apple.com/forums/thread/111225. Suggested workaround to return 127.0.0.1 from my local resolver did not help.
The setup I got is I am using local DNS resolver to answer all domain queries. Domains that binary is using to connect to are dummy-resolving fine. Browsing to these using curl/Chrome works fine. It resolves into my webserver instance which returns desired response.
However, when I execute binary itself, it fails with kCFErrorDomainCFNetwork
CFNETWORK_DIAGNOSTICS is below:
Filtering the log data using "process == "Installer" AND composedMessage CONTAINS "CFNetwork""
Timestamp Thread Type Activity PID TTL
2021-08-12 01:33:01.138319-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:1] 01:33:01.138 {
Begin Connect to cookied: (null)
Requested version: 131075
Storage Identifier: com.apple.CFNetwork.defaultStorageSession
Persistent Storage: 1
} [3:1]
2021-08-12 01:33:01.138393-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:2] 01:33:01.138 {
End Connect to cookied: (null)
} [3:2]
2021-08-12 01:33:01.139762-0700 0x15b2 Debug 0x0 622 0 Installer: (CoreFoundation) [com.apple.defaults:User Defaults] found no value for key com.apple.CFNetwork.HSTS.DisableHSTS in CFPrefsPlistSource<0x7ff88bc0b180> (Domain: kCFPreferencesAnyApplication, User: kCFPreferencesCurrentUser, ByHost: No, Container: (null), Contents Need Refresh: No)
2021-08-12 01:33:01.148614-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:3] 01:33:01.148 {
LoaderWhatToDo: (null)
Request: <CFURL 0x7ff88bdd0c30 [0x7fff9017bcf0]>{string = http://domain.com/visit/meta?mid=8F492677C538BD911DC679D49156AEA5, encoding = 134217984, base = (null)}
CachePolicy: 0
WhatToDo: originload
CreateToNow: 0.02488s
} [3:3]
2021-08-12 01:33:01.149346-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:4] 01:33:01.149 {
AddCookies Continue: request PUT http://domain.com/visit/meta?mid=8F492677C538BD911DC679D49156AEA5 HTTP/1.1
HTTPProtocol: Task: 8bd51a70
} [3:4]
2021-08-12 01:33:01.149831-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:5] 01:33:01.149 {
Begin Connect to cookied: (null)
Requested version: 131075
Storage Identifier: com.some.Installer
Persistent Storage: 1
} [3:5]
2021-08-12 01:33:01.149949-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:6] 01:33:01.149 {
End Connect to cookied: (null)
} [3:6]
2021-08-12 01:33:01.151203-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:7] 01:33:01.151 {
HTTPCookieStorage::copyCookiesForURL: <CFHTTPCookieStorage 0x7ff88bd8e5a0 [0x7ff88bd8e5b0]>
Request URL: http://domain.com/visit/meta?mid=8F492677C538BD911DC679D49156AEA5
MainDocument URL: NONE
} [3:7]
2021-08-12 01:33:01.151384-0700 0x15b2 Default 0x0 622 0 Installer: (CFNetwork) [com.apple.CFNetwork:Diagnostics] CFNetwork Diagnostics [3:8] 01:33:01.151 {
Protocol Enqueue: request PUT http://domain.com/visit/meta?mid=8F492677C538BD911DC679D49156AEA5 HTTP/1.1
Request: <NSMutableURLRequest: 0x7ff88bd7ca60> { URL: http://domain.com/visit/meta?mid=8F492677C538BD911DC679D49156AEA5 }
Message: PUT http://domain.com/visit/meta?mid=8F492677C538BD911DC679D49156AEA5 HTTP/1.1
User-Agent: Installer (Macintosh; Mac OS X 10.15.7
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
} [3:8]
Is there an option to get around this? I would not want to enable internet for obvious reasons.