Hi all,
It's nice that macOS 15 allows users to control System Extensions in "Login Items & Extensions", but I am encountering some issues in determining if a user has disabled or removed a System Extension.
I will share my findings (as of macOS 15.1 24B5009l) for two scenarios and would appreciate any suggestions for better approaches.
Scenario 1: During first-time activation, there is no clear API to determine if the user uninstalls the extension before activation.
The code creates activationRequestForExtension:queue: and receives notifications via a delegate implementing OSSystemExtensionRequestDelegate. However, if the user does not authorize the activation of the System Extension and uninstalls it, the code receives request:didFailWithError: with error code OSSystemExtensionErrorRequestSuperseded. This error code is ambiguous, so I plan to submit a propertiesRequestForExtension:queue: and check the properties for each instance to determine if the user uninstalled the extension.
Scenario 2: After activation, it is unclear when the user enables or disables the extension.
It is somewhat easier in the enabled -> disabled scenario. The XPC connection will be invalidated, allowing me to submit another propertiesRequestForExtension:queue: in the XPC invalidation handler and check the result.
However, I am having trouble with the disabled -> enabled scenario. There is no event or trigger indicating that the user has enabled the extension, so I have to submit propertiesRequestForExtension:queue: repeatedly at short intervals, which is not ideal.
I wonder if there are better approaches. Any suggestions would be greatly appreciated.
Thanks & regards,
Shay
Post
Replies
Boosts
Views
Activity
macOS 11.1 fixed RAW socket locking in Network Extension.
However one user reports another kernel deadlock with Network Extension, on macOS 11.1 20C69.
The deadlock seems to be caused by three processes:
Logs - https://developer.apple.com/forums/content/attachment/76470732-057b-4a5a-8898-f9c8a37c52d2
I failed to reproduce this issue, while the user can reproduce it consistently.
I wonder if anyone has also encountered this panic.
FB8968013 for full kernel panics.
Hi all,
I run into a memory issue in NetworkExtension. I hope my NetworkExtension will filter all traffics (any hosts/ports, any protocol, any direction).
After running for 5 days, the NetworkExtension.framework keeps 20,000+ instances of NEFilterSocketFlow.
I don't believe a laptop will run 20,000 network connections at the same time, it seems like an issue from system frameworks.
I run the test on macOS 11.0.1 (20B29), it can also reproduced on macOS 11.1 (20C5048k).
I use the following snippet to reproduce the issue. To use this code, get a copy of "Filtering Network Traffic" sample code and replace the file.
FilterDataProvider.swift - https://developer.apple.com/forums/content/attachment/cee644fc-799f-4b76-8f2c-c8e792152e0e
FB8924681
Shay
Hi,
I wonder if it is possible to show system extension's BundleDisplayName in Finder (like an application bundle)?
For example, I wish the Finder could show the CFBundleDisplayName "SymantecEndpointSecurity" (value from Info.plist or localized resources) instead of "com.symantec.mes.systemextension.systemextension".
Because the endpoint security client requires "Full Disk Access" (FDA), if user accidentally removes it, the system extension cannot work until user add it back to the list.
While it is possible to open the Finder window for user to drag system extension back to the FDA list, it would be much better if the user can see the system extension's localized BundleDisplayName instead of BundleIdentifier.
Is it possible with the current macOS?
Thanks in advance.
Shay
Hi guys,
When playing with the Network Extension sample code, I find that, if the data-filter requests to filter TCP outbound traffic on port 443, apps using StoreKit for in-app purchase cannot get items for purchase.
A process named "appstoreagent" reports "failed to retrieve client crypto key" and then NSURLErrorDomain Code=-1005 "The network connection was lost."
If the network extension is disabled or explicitly allows https traffic in NEFilterSettings, this issue won't appear.
I have tested from macOS 10.15.0 to 10.15.6 along with 11.0 beta 3, the issue can be reproduced on all the macs that I have tested.
Ref FB7740498
Best regards,
Shay
Hi guys,
Does anyone fail to connect IKEv1 (Cisco IPSec) VPN when using the "filtering network traffic" sample code?
I find that, if the SimpleFirewall is enabled, IKEv1 VPN will fail to connect. If SimpleFirewall is enabled after connecting VPN, no application will establish network connection (all TCP/UDP/ICMP will be dropped).
Is this expected behavior (that IKEv1 VPN is not compatible with data-filter)?
ref FB7742493
Best regards,
Shay