Thanks Eskimo!
My app is a Developer-ID signed Network Extension App and so will require the sandboxing from what I understand.
Thanks for pointing me in the right direction. Will try out XPC.
LaxmanT
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
Post
Replies
Boosts
Views
Activity
Thanks for the pointers Matt. I am seeing 2 issues in the logs after I enabled SIP. I notarized the app already. Signature errors
Crash because of Sandboxing
The second part of the logs are pasted in the next post.
Please NOTE: The NE is based on open-source Wireguard protocol written in Golang.
Logs
349		0		secinitd: *.YYY.network-extension[3542]: root path for bundle "<private>" of main executable "<private>"
349		0		secinitd: (Security) SecTrustEvaluateIfNecessary
349		0		secinitd: (Security) SecTrustEvaluateIfNecessary
349		0		secinitd: *.YYY.network-extension[3542]: AppSandbox request successful
404		0		nesessionmanager: (Security) SecTrustEvaluateIfNecessary
404		0		nesessionmanager: (Security) SecTrustEvaluateIfNecessary
404		0		nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Signature is valid and has the correct designated requirement
3542	 0		*.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
3542	 0		*.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) SecItemCopyMatching
3542	 0		*.YYY.network-extension: (Security) SecItemCopyMatching_ios
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:xpc] Adding securityd connection to pool, total now 1
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:xpc] got event: Connection invalid
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:storagemgr] using system preferences
3542	 0		*.YYY.network-extension: (CoreFoundation) Loading Preferences From System CFPrefsD
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) SecItemCopyMatching
3542	 0		*.YYY.network-extension: (Security) SecItemCopyMatching_ios
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:SecCritical] Failed to talk to secd after 4 attempts.
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] CSSM Exception: -2147414013 CSSMERR_DL_MDS_ERROR
3542	 0		*.YYY.network-extension: (Security) CMSDecoderCopySignerStatus failed with kCMSSignerInvalidSignature error (3)
3542	 0		*.YYY.network-extension: (Security) [com.apple.securityd:security_exception] MacOS error: -67061
3542	 0		*.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: invalid signature (code or signature have been modified)
3542	 0		*.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [10272E98-45FB-4020-A6D6-CFB656C37389 <NULL> generic, indefinite]
0			0		kernel: utun_ctl_connect: creating interface utun2 (id utunid2)
0			0		kernel: ifnet_attach: Waiting for all kernel threads created for interface utun2 to get scheduled at least once.
0			0		kernel: ifnet_attach: All kernel threads created for interface utun2 have been scheduled at least once. Proceeding.
0			0		kernel: utun2: is now delegating en0 (type 0x6, family 2, sub-family 3)
114		0		configd: (libnetwork.dylib) [com.apple.network:] network_config_check_interface_settings Checking interface settings
404		0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId8:5E99863B-1189-4C78-BE90-F27D4D1D1461:(null)]: Plugin NEVPNTunnelPlugin(*.YYY[3542]) initialized with Mach-O UUIDs (
210		0		nehelper: (Network) [com.apple.network:] -[NWPrivilegedHelper startXPCListener]_block_invoke client pid 114 does not have any known entitlement
114		0		configd: (libnetwork.dylib) [com.apple.network:] networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
404		0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId8:5E99863B-1189-4C78-BE90-F27D4D1D1461:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(*.YYY[3542]) started with PID 3542 error (null)
3542	 0		*.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension *.YYY]: Calling startTunnelWithOptions with options 0x7fa48ee100d0
114		0		configd: [com.apple.SystemConfiguration:IPMonitor] network changed
3542	 0		*.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension *.YYY]: IPC detached
*Logs 2nd part:
		 Error			 0x0									164		0		sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: ***.XXXAgent(3542) deny(1) file-write-data /private/var/db/mds/system/mds.lock
Violation:			 deny(1) file-write-data /private/var/db/mds/system/mds.lock
Process:				 ***.XXXAgent [3542]
Path:						/Library/SystemExtensions/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF/***.YYY.network-extension.systemextension/Contents/MacOS/***.YYY.network-extension
Identifier:			***.YYY.network-extension
Version:				 1 (1.0)
Parent Process:	launchd [1]
Responsible:		 /Library/SystemExtensions/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF/***.YYY.network-extension.systemextension/Contents/MacOS/***.YYY.network-extension
OS Version:			Mac OS X 10.15.7 (19H15)
Report Version:	8
MetaData: {"action":"deny","responsible-process-user-uuid":"FFFFEEEE-DDDD-CCCC-BBBB-AAAA00000000","uid":0,"summary":"deny(1) file-write-data \/private\/var\/db\/mds\/system\/mds.lock","path":"\/private\/var\/db\/mds\/system\/mds.lock","normalized_target":["private","var","db","mds","system","mds.lock"],"pid":3542,"flags":5,"errno":1,"hardlinked":false,"platform-binary":false,"signing-id":"***.YYY.network-extension","team-id":"TEAM_ID","primary-filter-value":"\/private\/var\/db\/mds\/system\/mds.lock","process":"***.XXXAgent","build":"Mac OS X 10.15.7 (19H15)","target":"\/private\/var\/db\/mds\/system\/mds.lock","container":"\/private\/var\/root\/Library\/Containers\/***.YYY.network-extension\/Data","operation":"file-write-data","primary-filter":"path","matched-extension":false,"vnode-type":"REGULAR-FILE","platform_binary":"no","profile-in-collection":false,"process-path":"\/Library\/SystemExtensions\/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF\/***.YYY.network-extension.systemextension\/Contents\/MacOS\/***.YYY.network-extension","hardware":"Mac","responsible-process-uid":0,"responsible-process-path":"\/Library\/SystemExtensions\/34C6B073-2035-4CA4-B055-2C2FDD1C8BCF\/***.YYY.network-extension.systemextension\/Contents\/MacOS\/***.YYY.network-extension","matched-user-intent-extension":false,"file-flags":0,"rdev":0,"platform-policy":false,"mount-rdev":16777221,"profile-flags":0,"apple-internal":false}
............................
Thread 3 (id: 47400):
0	 libsystem_kernel.dylib				 0x00007fff717b66a2 __open + 10
1	 Security											 0x00007fff43eddeb7 Security::MDSSession::updateDataBases() + 1303
2	 Security											 0x00007fff43f3f705 Security::MDSSession::DbOpen(char const*, cssm_net_address const*, unsigned int, Security::AccessCredentials const*, void const*, long&) + 95
3	 Security											 0x00007fff43f3f59c mds_DbOpen(long, char const*, cssm_net_address const*, unsigned int, cssm_access_credentials const*, void const*, long*) + 261
4	 Security											 0x00007fff43edd5d5 Security::MDSClient::Directory::cdsa() const + 107
5	 Security											 0x00007fff44036031 Security::MDSClient::Directory::dlGetFirst(cssm_query const&, cssm_db_record_attribute_data&, cssm_data*, cssm_db_unique_record*&) + 57
6	 Security											 0x00007fff43edd113 Security::CssmClient::Table<Security::MDSClient::Common>::startQuery(Security::CssmQuery const&, bool) + 253
7	 Security											 0x00007fff43edcc9f Security::CssmClient::Table<Security::MDSClient::Common>::fetch(Security::CssmClient::Query const&, int) + 121
8	 Security											 0x00007fff43edbaf3 CSSM_ModuleLoad + 643
9	 Security											 0x00007fff43edb3ae Security::CssmClient::ModuleImpl::activate() + 194
10	Security											 0x00007fff43edb1a8 Security::CssmClient::AttachmentImpl::activate() + 130
11	Security											 0x00007fff43edb088 Security::KeychainCore::Certificate::clHandle() + 166
12	Security											 0x00007fff440e7ef2 SecCertificateGetCLHandle_legacy + 22
13	Security											 0x00007fff4404b116 CERT_GetCertIssuerAndSN + 131
14	Security											 0x00007fff4404af1d CERT_FindCertByIssuerAndSN + 112
15	Security											 0x00007fff4404c0e4 SecCmsSignerInfoGetSigningCertificate + 80
16	Security											 0x00007fff440537cf SecCmsSignedDataVerifySignerInfo + 271
17	Security											 0x00007fff44054226 CMSDecoderCopySignerStatus + 171
18	Security											 0x00007fff44068210 Security::CodeSigning::SecStaticCode::validateDirectory() + 958
19	Security											 0x00007fff4406b393 Security::CodeSigning::SecStaticCode::validateNonResourceComponents() + 15
20	Security											 0x00007fff44058945 Security::CodeSigning::SecCode::checkValidity(unsigned int) + 219
21	Security											 0x00007fff4405f0f4 SecCodeCheckValidityWithErrors + 87
22	NetworkExtension							 0x00007fff3e2133c2 NEVerifyDesignatedRequirement + 206
23	NetworkExtension							 0x00007fff3e0c75fa +[NEExtensionPacketTunnelProviderContext extensionHasACRequirement] + 94
24	NetworkExtension							 0x00007fff3e1c1ff1 -[NEPacketTunnelProvider initWithVirtualInterfaceType:] + 37
25	***.YYY.network-extension 0x0000000102c14638 PacketTunnelProvider.init() + 488 (PacketTunnelProvider.swift:9)
26	***.YYY.network-extension 0x0000000102c1465f @objc PacketTunnelProvider.init() + 15 (<compiler-generated>:0)
27	NetworkExtension							 0x00007fff3e0c8bd2 -[NEExtensionProviderContext createWithCompletionHandler:] + 398
28	Foundation										 0x00007fff39d1e413 NSXPCCONNECTION_IS_CALLING_OUT_TO_EXPORTED_OBJECT_S1 + 10
29	Foundation										 0x00007fff39ca88de -[NSXPCConnection _decodeAndInvokeMessageWithEvent:flags:] + 2363
30	Foundation										 0x00007fff39c5fa49 message_handler + 210
31	libxpc.dylib									 0x00007fff718b922c _xpc_connection_call_event_handler + 56
32	libxpc.dylib									 0x00007fff718b813b _xpc_connection_mach_event + 934
33	libdispatch.dylib						 0x00007fff7161b6f8 _dispatch_client_callout4 + 9
Logs:
16432	0		taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] Checking profile: YYYNENov6_10
16432	0		taskgated-helper: (ConfigurationProfiles) [com.apple.ManagedClient:ProvisioningProfiles] allowing entitlement(s) for ***.YYY.network-extension due to provisioning profile (isUPP: 1)
1057	 0		nesessionmanager: (Security) SecTrustEvaluateIfNecessary
1057	 0		nesessionmanager: (NetworkExtension) [com.apple.networkextension:] Signature is valid and has the correct designated requirement
16463	0		***.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] cannot open file at line 43353 of [378230ae7f]
16463	0		***.YYY.network-extension: (libsqlite3.dylib) [com.apple.libsqlite3:logging-persist] os_unix.c:43353: (2) open(/var/db/DetachedSignatures) - No such file or directory
16463	0		***.YYY.network-extension: (Security) SecTrustEvaluateIfNecessary
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] Signature check failed: code failed to satisfy specified code requirement(s)
16463	0		***.YYY.network-extension: (libnetwork.dylib) [com.apple.network:] nw_path_evaluator_start [33B7A514-5833-43B2-A4AE-1329F4B52D43 <NULL> generic, indefinite]
0			0		kernel: utun_ctl_connect: creating interface utun2 (id utunid2)
0			0		kernel: ifnet_attach: Waiting for all kernel threads created for interface utun2 to get scheduled at least once.
0			0		kernel: ifnet_attach: All kernel threads created for interface utun2 have been scheduled at least once. Proceeding.
244		0		mDNSResponder: [com.apple.mDNSResponder:Default] <private>
113		0		configd: (libnetwork.dylib) [com.apple.network:] network_config_check_interface_settings Checking interface settings
0			0		kernel: utun2: is now delegating en0 (type 0x6, family 2, sub-family 3)
252		0		nehelper: (Network) [com.apple.network:] -[NWPrivilegedHelper startXPCListener]_block_invoke client pid 113 does not have any known entitlement
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Plugin NEVPNTunnelPlugin(***.YYY[16463]) initialized with Mach-O UUIDs (
113		0		configd: (libnetwork.dylib) [com.apple.network:] networkd_privileged_check_interface_settings_block_invoke received XPC_ERROR_CONNECTION_INVALID
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) started with PID 16463 error (null)
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Calling startTunnelWithOptions with options 0x7f85e9d0d3e0
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: IPC detached
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) did detach from IPC
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)] in state NESMVPNSessionStateStarting: plugin NEVPNTunnelPlugin(***.YYY[16463]) disconnected with reason Plugin initiated
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Leaving state NESMVPNSessionStateStarting
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Entering state NESMVPNSessionStateStopping, timeout 20 seconds
1057	 0		nesessionmanager: [com.apple.networkextension:] <NESMServer: 0x7f979e504160>: Request to uninstall session: NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: status changed to disconnecting
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Updated network agent (inactive, compulsory, not-user-activiated, not-kernel-activated)
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Leaving state NESMVPNSessionStateStopping
1057	 0		nesessionmanager: [com.apple.networkextension:] NESMVPNSession[Primary Tunnel:UsingGoBridgeToXXXDevId6:6DCBD0E0-D11D-46DD-B202-65FD1B986444:(null)]: Entering state NESMVPNSessionStateDisposing, timeout 5 seconds
0			0		kernel: ifnet_detach_final: Waiting for IO references on utun2 interface to be released
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] SIOCGIFMTU failed: Device not configured
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] NEVirtualInterfaceAdjustReadBufferSize: interface_get_mtu failed (6), defaulting to max mtu
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Session manager connection was invalidated
16463	0		***.YYY.network-extension: (NetworkExtension) [com.apple.networkextension:] [Extension ***.YYY]: Deallocating
Thanks Matt. I changed the bundle-id and looks like that was causing it.
Can you please post the link to a doc, that has sequence of SDK calls to talk to an existing Packet-Tunnel Extension. Thanks