Hi, I am using xcode build that receive it's configuration using xcconfig files, those add some new definitions to the project, like the location of openssl library. If xcode environment variable include prefix that matches one of the fields in the project settings, it is automatically referred to as if you added it to that field. for example : the var HEADER_SEARCH_PATHS_openssl_libopenssl has value (openssl headers' path) that should be automatically added to the field Headers Search Paths under project settings. For some reason it stopped working for me and i'm not sure why (i've tried to release the xcconfig files). any idea why ? Thanks !

Hi, i'm working on an endpoint security extension loader and implement several callbacks from delegate object OSSystemExtensionRequestDelegate the callback i'm interested in is : public func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result); public func requestNeedsUserApproval(_ request: OSSystemExtensionRequest); I've noticed that if I manually approve the extension long time after it was activated, the extension process goes up, but the callback isn't being called. The requestNeedUserApproval callback always gets called. I see in the unified logs that when the extension goes from activated_waiting_for_user -> activated_enabling -> activated_enabled Than the request callback doesn't get called. But whenever the extension goes activated_waiting_for_user -> activated_disabled The request callback gets called. (this is counter intuitive since we expected the state activated_disabled may hint that the extension failed to be activated somehow) Any Idea why my callback doesn't gets called if the extension gets approved long after it was activated ?

Hi, I'd like to be able to run my daemon process only in pre-logon mode that can be reach by either reboot the machine prior to provide user credentials, or by log out from current user. So far I couldn't find any useful configuration in the plist file under /Library/LaunchDaemon. Perhaps there's a way to get notification programmatically for when the system enter/exit pre-login mode ? Thanks

Hi, I've developed an application which reside under /Applications. Inside the main application bundle (/Applications/mainApp.app) there are sub-app that contain security extension. Here's the relevant path /Applications/mainApp.app/Contents/Helpers/subApp.app/Contents/Library/SystemExtensions/com.myComp.type.systemextension/ So far I could load the extension by running the subApp and make sure it calls the extension activation API. but seems like starting from Sonoma (i'm using version 14.6.1 )it stopped working, and I get crash dump on signature failure which trying to open the subApp.app. in the crash log I get reason of invalid code sign. I also get the following hints Binary Images: 0x1050a0000 - 0x10512bfff dyld_path_missing (*) <f635824e-318b-3f0c-842c-c369737f2b68> /dyld_path_missing 0x104d9c000 - 0x104d9ffff main_executable_path_missing (*) <1df5f408-cb16-304f-8b38-226e29361161> /main_executable_path_missing Is it possible that new OS version have new validation rule that enforce something about the location of the app that can start extensions ?

Hi, I've got swiftUI based application. It seems that on some occasions, when the app starts, I get the following popup window but I don't know which restricted items it attempts to access (passwords,network, etc..) . How can I tell what trigger this elevation message ? Thanks !

For a security product, I wonder if security extension has a capability to catch a file during copy operation (I guess it's composed out of multiple basic ops like file read and file write). I'd like to store the file in some quarantined temporal (let's say when someone copy file from external file system like usb/network location and copy it back once the file has properly scanned. So far, i've used the authorization capabilities of the security extension. I wonder if there's also an option to change the target location of a file being copied ? Thanks.

Hi, I've tried to modify the simplePing example from here https://developer.apple.com/library/archive/samplecode/SimplePing/ and set the DF flag on. In my attempt, I've used setsockopt right after socket was created : fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); int val = 1; setsockopt(fd, IPPROTO_IP, IP_DONTFRAG, &val, sizeof(val)); However, from wireshark I could clearly see that the icmp packet had the DF bit unset ... Please help me figure out what's wrong in my code. Thanks !

HI, I've created a virtual interface that used to get all outgoing packets, encapsulate with some VPN header, before resend them to their final destination through the physical adapter. In order to choose the optimal MTU size that won't trigger fragmentation, I'd like to calculate the PMTU between the physical interface and the destination, subtracted by the encapsulation header size. Then I'll set the virtual adapter's MTU with this result. In order to do so, I poll the overall MTU cache using sysctl on macOS. First, I verified that path mtu discovery is set sysctl net.inet.tcp.path_mtu_discovery net.inet.tcp.path_mtu_discovery: 1 Then, I tried to extract the cached pmtu for the gateway from the other size of the tunnel using the routing table . static constexpr auto kSysctlMibLength = 6; void get_pmtu_cache() { std::map<std::string, std::uint32_t> res; size_t size_needed = 0; std::vector<char> route_table; std::array<int, kSysctlMibLength> mib; char *next = nullptr; char *lim = nullptr; struct rt_msghdr *rtm = nullptr; struct sockaddr *saddr = nullptr; struct sockaddr_in *sockin = nullptr; char dest_ip_address[INET6_ADDRSTRLEN]; mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; mib[3] = 0; mib[4] = NET_RT_DUMP; mib[5] = 0; // stage 1 : get the routing table // get routing table size if (sysctl(mib.data(), kSysctlMibLength, nullptr, &size_needed, nullptr, 0) < 0) { return; } // allocate local var according to size route_table.reserve(size_needed); // get routing table contents if (sysctl(mib.data(), kSysctlMibLength, route_table.data(), &size_needed, nullptr, 0) < 0) { return; } In the next step, I simple iterate the routing table elements and extract the following field for each destination : rt_msghdr.rt_metrics.rmx_mtu which is the path MTU from current endpoint to dest address. lim = route_table.data() + size_needed; for (next = route_table.data(); next < lim; next += rtm->rtm_msglen) { rtm = reinterpret_cast<struct rt_msghdr *>(next); saddr = reinterpret_cast<struct sockaddr *>(rtm + 1); if ((rtm->rtm_addrs & RTA_DST) != 0) { sockin = reinterpret_cast<struct sockaddr_in *>(saddr); if (nullptr == inet_ntop(saddr->sa_family, &sockin->sin_addr.s_addr, dest_ip_address,INET6_ADDRSTRLEN)) { continue; } const std::string dest_ip_address_str(dest_ip_address, strlen(dest_ip_address)); auto iter = res.find(dest_ip_address_str); if (iter == res.end() || iter->second > rtm->rtm_rmx.rmx_mtu) { res.insert_or_assign(dest_ip_address_str, rtm->rtm_rmx.rmx_mtu); } } } when I finally print all the values in res I see that my pmtu to my VPN server is 1500, even-though I've set the server's mtu size to 1000, and I check that ping -D -s 1500 <server> doesn't work since packets from size 1500 that cannot be fragmanted won't work. auto item = res.find(vpn_server_address); if (item == res.cend()) { printf("no pmtu found to %s\n", vpn_server_address ); return; } ret = item->second; I've tried to trigger the pmtu discovery to the VPN server using nscurl by sending https requests there, but the pmtu still remained on 1500. Perhaps I'm missing something ? do I extract the pmtu correctly ? do I trigger the pmtu discovery by sending https messages using nscurl which is based on NSURLSession ? Thanks !

Hi, I'm working on macOS launchAgent based project, and using 3rd party code to upload big files to remote server. from time to time, I see that the upload rate is very slow and when i try it to use command line tool, the paste is much faster. Therefore, I believe that launchAgent based processes, may get low priority in using network bandwidth compared to foreground tools. I wonder if there's anything I can do on the process' info.plist file to get better prioritization on network resources. Perhaps I need to call the file uploader/downloader from dedicated XPC helper tool, but I prefer doing it from the same process. Thanks !

Hi, I'd like to allow only a specific process to read sensitive items from keychain (based on process signature using method SecItemCopyMatching), and fail any other read attempt. Is it possible, what are the access control rules I can define for keychain access if this is not possible ? I'm now using the default user keychain, perhaps I should create a different keychain with non-trivial access control, so that not all processes that are running with user context or even with root privileges, would be able to get the data. Thanks Here's my read example : func read(service: String, account: String) -> Data? { let query = [ kSecAttrService: service, kSecAttrAccount: account, kSecClass: kSecClassGenericPassword, kSecReturnData: true ] as CFDictionary var result: AnyObject? SecItemCopyMatching(query, &result) return (result as? Data) }

I'm signing using "Developer ID Application" and it suddenly started failing due to the following reason A timestamp was expected but was not found.. from the logs it looks like a failure to connect Apple's dedicated server. Perhaps there's a way to verify this theory, or get another timestamp server to be set in --timestamp option? thanks 2023-04-24 15:53:38.977560+0300 0x2e29ef5 Error 0x0 696 0 XPCTimeStampingService: (CFNetwork) NSURLConnection finished with error - code -1001 2023-04-24 15:53:38.977753+0300 0x2e29ef5 Default 0x0 696 0 XPCTimeStampingService: (CFNetwork) [com.apple.CFNetwork:Summary] Task <42F5893A-941A-4293-BB14-F75C42363836>.<0> summary for task failure {transaction_duration_ms=15792, response_status=-1, connection=817, reused=1, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, response_bytes=0, cache_hit=false}

Hi, I'm using 2 separated providers, each derived from dns and application providers respectively. in the application provider I use the object NETunnelNetworkSettings as input in method to setTunnelNetworkSettings to catch all network data originated from some specific applications (including dns packets). in the dns provider I'd like to catch all dns traffic in general disregarding any specific application where the request was originated from. in my experiment, If I avoid setting the DNS server addresses in DNSSettings inside NETunnelNetworkSettings, than all DNS originated from the specific application I set using the app proxy tunnel, will be destined to address 10.0.0.10 by default (and not the default DNS address). However, If I do set this DNSSettings value, I get the following block (in my example I set the app proxy to catch the traffic of zoom.us application) 2023-04-19 11:34:45.493033+0300 0x1206 Default 0x0 501 0 mDNSResponder: [com.apple.mDNSResponder:Default] [Q36288] ShouldSuppressUnicastQuery: Query suppressed for zoom.us. Addr (blocked by policy) 2023-04-19 11:34:45.493582+0300 0x1206 Default 0x0 501 0 mDNSResponder: [com.apple.mDNSResponder:Default] [Q14787] ShouldSuppressUnicastQuery: Query suppressed for zoom.us. AAAA (blocked by policy) my desire is to catch the application connections using the app proxy provider, and leave the dns requests/responses for the dns proxy provider. I know this might not be the best approach, but perhaps there's a way to "tell" my application proxy provider to "ignore" DNS packets on udp connection, and let the DNS proxy handle it (without getting blocked by policy error, which happen before the packet reaches any of the proxy providers.) thanks !

I'm looking for API to add a new kerberos credentials to macOS internal ticket store. Basically, I'd like to replace the whole authentication process with a proprietary component and not rely on the OS kerberos implementation, and get the following items: Client-to-server ticket encrypted using the resource's secret key. A new Authenticator encrypted using Client/Server Session Key I'd like to set these 2 items where the OS keeps these items to be used when communicating with the resource itself. Also, I'd like to keep another kerberos item retrieved after the first communication with the resource and it's used for SSO to allow additional request to the resource for a certain period of time. this item is the timestamp found in client's Authenticator encrypted using the Client/Server Session Key Is there an API I can use to inject those items to where the OS keeps the kerberos Items so it can use them when it access the resource itself.

Hi, I've built an installation package (file with .pkg suffix). when I double click the pkg file whereas newer version of the package is already installed, then the installer skip the downgrade process due to the following reason. 2023-02-22 20:19:11+02 my-Mac installd[744]: PackageKit: Skipping component “com.myapp.mycompany” (22.9.0-2209.0.0-*) because the version 23.2.3559-2302.3559.11638-* is already installed at /Applications/myapp.app. However, I still see that the preinstall and postinstall script being executed. Perhaps there's a way to either enable the downgrade, or disable it completely, so I won't get this partial install scenario. Is there a way I can get indication that the installer has skipped the file copying of the target pkg, from within the post/pre install scripts (so I can handle it properly) ?

Hi, I'm using NSURSessionDataTask in order to send REST command to remote server. the server doesn't request client-side verification in TLS, but the client does request server authentication as implemented in the following code if (challenge.protectionSpace.authenticationMethod == NSURLAuthenticationMethodServerTrust) { NSURLCredential* credential = [NSURLCredential credentialForTrust:challenge.protectionSpace.serverTrust]; completionHandler(NSURLSessionAuthChallengePerformDefaultHandling, nil); However, even though I set the server certificate as "Trusted" I get the following failure : 2023-01-13 00:45:51.139349+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) System Trust Evaluation yielded stat us(-9802) 2023-01-13 00:45:51.139390+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) ATS failed system trust 2023-01-13 00:45:51.139413+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: system TLS Trust eva luation failed(-9802) 2023-01-13 00:45:51.139432+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) Connection 132: TLS Trust result -98 02 2023-01-13 00:45:51.139450+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: TLS Trust encountere d error 3:-9802 2023-01-13 00:45:51.139467+0700 0x348f4 Error   0x0        7633 0 pas: (CFNetwork) Connection 132: encountered error(3: -9802) 2023-01-13 00:45:51.139488+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) Connection 132: cleaning up 2023-01-13 00:45:51.139508+0700 0x348f4 Default  0x0        7633 0 pas: (CFNetwork) [com.apple.CFNetwork:Summary] Connec tion 132: summary for unused connection {protocol=“(null)“, domain_lookup_duration_ms=0, connect_duration_ms=0, secure_connection_duration_ms=0 , private_relay=false, idle_duration_ms=0} I also tried to connect the same URL from various browsers, and it passed those security checks... How can I figure out what is the problem here? I made sure that the server certificate is set to trusted on system keychain, and my process is running in elevated user mode. I know how to disable this check, but I prefer to understand exactly what It means and fix the certificate chain if needed. thanks