Hi Quinn thanks for your help. Here's the agent plist contents. Notice that if I run it directly and not as launchAgent, there's no attempt to access /Users/user/Library/Autosave Information/. does the plist contents may explain it ? <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict> <key>Label</key> <string>com.comp.prod.myAgent</string> <key>LimitLoadToSessionType</key> <string>Aqua</string> <key>Program</key> <string>/Applications/myApp.app/Contents/MacOS/myApp</string> <key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> </dict> </plist>

Hi Quinn, one more insight I've got, when running the app using open, no attempt was made to access the Autosave Information folder. but when the app was run as lunchAgent using proper plist file under /Library/LaunchAgents/ than the attempt was made... does it make any sense ?

It appears that I was wrong and the restricted file lies in /Users/user/Library/Autosave Information/ according to fs_usage, /Users/user/Library/Autosave Information/com.myComp.myApp.plist this file is probably copy of our app preferences file which have the same name /Users/user /Library/Preferences/com.myComp.myApp.plist but it looks like nothing is being written to that file, It just attempt to read this non-existent replica in Autosave folder and that what trigger the permission popup. I've tried to disable access to Autosave using the following command but it didn't work... defaults write com.myComp.myApp ApplePersistence -bool no i remove all known contents from my application and it still attempt to access this file in the folder. Any idea how i can avoid reading this file ?

After running some diagnostics using fs_usage, I've found out that my application apply to the following file which is restricted : /Users/user/Library/Application Support/Knowledge/knowledgeC.db-wal I've read about this database, but i'm not sure which of the frameworks I attempt to access this file. Any idea which one should it be ?

Thanks for your quick reply Quinn. I see that in your post you specifically refer to one of the use cases i'm trying to implement which is to catch file copying (either from finder or from terminal using cp) to remote fileStorage device. Perhaps you can give me some guidelines for how to approach this issue ? Does ES have high level interface for file copying ? Perhaps I should use DriverKit to catch the data being copied can block it until scan...

Hey Quinn, The trick with using raw socket worked indeed. Thanks ! I just had to create the socket in the following manner fd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP) and than I could use the setsockopt with the don't fragment flag. one thing still puzzles me ... I've asked in the past whether there's a way to use the pmtu that is calculated in the OS level. I got a reply that it's already being calculated when using high level frameworks like the NSURLSession.. However, from looking at wireshark it seems that the pmtu is calculated all over again for every new tcp connection... attached the wireshark traffic I saw for each https message I sent with NSURLSession based connection (you can see that it always starts with packet size as the mtu of current node, and after it gets rejections, it moved to the expected mtu which is 1000 - I deliberetly set the mtu of one of the hops on the way to this value) So I wonder if in macOS there's a pmtu cache at all per route ? I used to think it's in the routing table that can be aquired using the following API : mib[0] = CTL_NET; mib[1] = PF_ROUTE; mib[2] = 0; mib[3] = 0; mib[4] = NET_RT_DUMP; mib[5] = 0; sysctl(mib.data(), kSysctlMibLength, nullptr, &size_needed, nullptr, 0)

Hi Quinn, SimplePing is written in objective-C so I couldn't use Int/CInt instead I replaced int val to uint32_t val just to make sure I work with 32, and also made sure that the function setsockopt returns 0 which symbolize success. However, when I trace the ping icmp packets in WireShark, I could clearly see that the DF bit is unset in the IP header. In the SimplePing example, they first create underlying BSD socket, and than use it to create the core foundation. Here the relevant code : fd = -1; err = 0; switch (self.hostAddressFamily) { case AF_INET: { fd = socket(AF_INET, SOCK_DGRAM, IPPROTO_ICMP); uint32_t val = 1; if (fd < 0) { err = errno; break; } int x = setsockopt(fd, IPPROTO_IP, IP_DONTFRAG, &val, sizeof(val)); if (x < 0) { err = errno; } } break; // after creating the BSD socket it create the CFSocket self.socket = (CFSocketRef) CFAutorelease( CFSocketCreateWithNative(NULL, fd, kCFSocketReadCallBack, SocketReadCallback, &context) ); assert(self.socket != NULL); // The socket will now take care of cleaning up our file descriptor. assert( CFSocketGetSocketFlags(self.socket) & kCFSocketCloseOnInvalidate ); fd = -1; rls = CFSocketCreateRunLoopSource(NULL, self.socket, 0); assert(rls != NULL); CFRunLoopAddSource(CFRunLoopGetCurrent(), rls, kCFRunLoopDefaultMode); CFRelease(rls); I wonder if the DF option is being deleted somewhere when i create CFSocket from BSD socket.

Hi meaton, basically my virtual interface is implemented by socket (old fashion) and not Network extension (I plan to implement using extension it in the future) . Anyhow, I've got a way to set the mtu. However, before that I need to find the pmtu from agent to server. So my basic desire is to trigger the pmtu discovery properly and than read it, and set it to my virtual interface... Currently I've tried to stimulate this flow using /usr/bin/nscurl but the pmtu remained the same (1500) Maybe I used small https messages... Perhaps you can advise me on a proper way to trigger the pmtu ? Maybe you can give me sample code for that or a terminal command ? Thanks !

I'm using boost-***** with openssl as an underlying socket. is it possible that launchAgent get less bandwidth when other foreground processes compete on the same resources ?

Just a follow up question since you mentioned the concept DRM. So I've read the technical document about Apple version of DRM called "Apple FairPlay" and It looks like it's not good for application verification. I wonder if there's any built-in signing certificate in the keychain that is non-exportable (and is kept in the secure-enclave) and I can use it with my app to proof that the device i'm running my program from, is an expected device. This way, I can at least verify that the app is not installed in unauthorized machine...

Hi Quinn and thanks for the answer, it indeed seems like the right solution for me, except for the fact that any privileged user can directly access the keychain item (see attached) Perhaps there's a way to prevent this ? Do I need the file-based keychain in this case, and create a dedicated keychain for this item with unique password that only the process will posses ? Or perhaps I can achieve my goal my simply using a different item (not password) that limit content viewing from outside the keychain API ? Thanks

My process can be either a bundled application (under /Application), or a sub-bundle application that can run as launchAgent (in user context) I've programmed those applications, so I can tell they haver main.m source file. Also, is all of this code running in the same GUI login context? Yes, all my applications are running in the same user context (launchAgent or standalone application) I wonder if use the application's keychain group to be able to exclusively access specific private items in keychain. I've noticed that when I create a keychain's item (using secItemAdd command), it can be accessed/deleted from keychain app UI and I want to prevent that and allow only the app with a specific group ID an exclusive access to this item.

Hi, I'm referring to macOS platform.

Hi Meaton, Perhaps you can guide me how to distinguish DNS packets/responses and other traffic (TCP/UDP) from NETransparentProxyProvider. I know how to use handleNewFlow and handleNewUDPFlow to catch all tcp/udp traffic, I guess that in order to extract the DNS packets I need to add the completion of handleNewUDPFlow a check if the dest port is 53, right? Also, how can I get the process name initiating the connection in NETransparentProxyProvider ? I want to get callbacks for certain apps only. do I need to check all connections or can I configure the transparent provider to forward the connections in app resolution ? If so, How can I configure it in saveToPreference from the manager side ? thanks

I'm basically trying to start a vpn that changes the default DNS in my machine and replace it with my organization's local dns server. I'd like to restore the dns when the vpn is off, So I was wondering where should I set it. Is there any way I can read about macOS DNS architecture ?