Hi,Playing with SimpleFirewall I wanted to access a file in Downloads folder. I could not open the file in Downloads for read. I tried the Group Container with the same result. I was applying my sandbox experience but I couldnt get a "regular sandbox" access behavior.I found the explanation in https://developer.apple.com/documentation/networkextension/nefilterproviderBecause the Filter Data Provider extension has access to all of the network content flowing through the device, it runs in a very restrictive sandbox. The sandbox prevents the Filter Data Provider extension from moving network content outside of its address space by blocking all network access, IPC, and disk write operations.I understand the reasoning but, I wanted to confirm if I'm left with no options at all to access any files outside the bundle. Not even in the Group container to exchange data with another process with the same goup ID ? How about connecting a UNIX domain socket, it is a FD, same resrictions ? XPC to another process (Not the Host App) with the same group ID ?Does or will the ES Sysex have restrictive sandboxing as well ?Thanks.
Post
Replies
Boosts
Views
Activity
Hi,I want to be able to run a simple NE with SIP on. Based on SimpleFirewall Sysex, run from Xcode It seems to work well, the extension does filter the content, all OK. What is not so good is what I see in the in the logs (SIP enabled):the taskgated-helper says :com.jon.SimpleFirewall.SimpleFirewallExtension: Unsatisfied entitlements: com.apple.security.application-groupsDisallowing: com.jon.SimpleFirewall.SimpleFirewallExtensionand the amfid:Soft-restriction provisioning profile validation failure: No matching provisioning profileUnsatisfied entitlements key is not type CFString, this should not happen.Provisioning Profile does not provision soft-restricted entitlements.They are strange messages consiering the NE is working ..I'd say that the entitlemetns are ok :<dict> <key>com.apple.application-identifier</key> <string>TEAMID.com.jon.SimpleFirewall</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.developer.system-extension.install</key> <true/> <key>com.apple.developer.team-identifier</key> <string>TEAMID.</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>TEAMID..com.jon.SimpleFirewall</string> </array> <key>com.apple.security.files.user-selected.read-write</key> <true/> <key>com.apple.security.get-task-allow</key> <true/></dict><dict> <key>com.apple.application-identifier</key> <string>TEAMID.com.jon.SimpleFirewall.SimpleFirewallExtension</string> <key>com.apple.developer.networking.networkextension</key> <array> <string>content-filter-provider</string> </array> <key>com.apple.developer.team-identifier</key> <string>TEAMID</string> <key>com.apple.security.app-sandbox</key> <true/> <key>com.apple.security.application-groups</key> <array> <string>TEAMIDcom.jon.SimpleFirewall</string> </array> <key>com.apple.security.get-task-allow</key> <true/></dict>I'm interested as well in making provisioned for all devices so I want to archive it for Developer ID distribution. Including notarization. The archiving stops because Xcode cant find provisions for Network Extensions. To solve it I have created 2 provisions for Distribution by developer ID myself on my account. That helps to andvance in the notarization. It gets approved. Export and run.The exported notarized App crashes:taskgated:rejecting read of { kCFPreferencesAnyApplication, kCFPreferencesAnyUser, kCFPreferencesCurrentHost, no container, managed: 0 } from process 1947 (taskgated-helper) because accessing preferences outside an application's container requires user-preference-read or file-read-data sandbox accesscom.jon.SimpleFirewall: Unsatisfied entitlements: com.apple.developer.networking.networkextensionDisallowing: com.jon.SimpleFirewallamfid:CPValidateProvisioningDictionariesExtViaBridge returned invalid result: { success = 0;}Failure validating against provisioning profiles: No matching provisioning profileUnsatisfied entitlements key is not type CFString, this should not happen.Requirements for restricted entitlements failed to validate, error -67671, requirements: '<private>', error: (null)Restricted entitlements not validated, bailing out. Error: (null)/Users/jon.gabilondo/Desktop/SimpleFirewall.app/Contents/MacOS/SimpleFirewall signature not valid: -67671Pretty big clear errors that I can't fgure out how to fix them .. I'm missing something fundamental.Thanks in advance.
Hi,I found a way to create an App, that runs as a daemon as well, using the libEndopintSecurity.dylib to create a "es_new_client" and "es_subscribe" to events. It has the entitlement "com.apple.developer.endpoint-security.client". If I disable SIP, It seems to be fullly working, it get the ES EVENTS .. AUTH events too.I have implemented as well the same App as by the guidelines, using hte wrapper App that holds the systemextension bundle within, using the system extension manager to to activate it, XPC to communicate, all good.My question is, do I really have these two options ? I understand that once I would get the approval for the entitlement I could make the second approach to work with SIP. But can I make the first one work with SIP ? Is there any limitations for the first approach ? Could I deliver a solution based on on the first approach ?Thanks.