According to the documentation, pfctl is supposed to remove all anchors if there are no rules beneath them. This behavior aligns with the specifications up to Big Sur.
However, starting from Ventura and onward, pfctl retains anchors even after flushing out all rules, states, tables, etc.
I think this is a huge leaking issue. The only way to remove all the zombie anchors are reboot the system.
Repro steps.
Setup.
/etc/pf.confg
scrub-anchor "com.apple/*"
nat-anchor "com.apple/*"
rdr-anchor "com.apple/*"
dummynet-anchor "com.apple/*"
anchor "com.apple/*"
load anchor "com.apple" from "/etc/pf.anchors/com.apple"
anchor "com.foo/*"
load anchor "com.foo" from "/etc/pf.anchors/com.foo"
/etc/pf.anchors/com.foo
anchor "sub_foo" in inet all {
block drop out all
pass out log (user) quick inet from any to any flags any keep state
pass out log (user) quick inet from any to any no state
}
Now here is the repro steps.
1. Load rules pfctl -f /etc/pf.conf
2. Check anchors pfctl -sA
com.apple
com.foo
3. Check subanchors of com.foo
pfctl -a "com.foo" -sA
com.foo/sub_foo
4. Check rules of subanchors sub_foo
pfctl -a "com.foo" -sr
anchor "com.foo/sub_foo" in inet all
5. Remove all rules, and states whatever
pfctl -a "com.foo" -Fa
rules cleared
nat cleared
dummynet cleared
0 tables deleted.
6. Check if the anchors is gone
pfctl -a "com.foo" -sA
com.foo/sub_foo
7. Since #6 anchor didn’t go check and see if the rules underneath it.
pfctl -a "com.foo" -sr
No rules.
mtnview
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
From
San Jose, CA
Post
Replies
Boosts
Views
Activity
Could not set environment: 150: Operation not permitted while System Integrity Protection is engaged
Hi.
After the recent update of Ventura to 13.4 and Big Sur to 11.7.7
all of a sudden "launchctl setenv" returns the following errors.
Could not set environment: 150: Operation not permitted while System Integrity Protection is engaged
Is there any workaround to fix this?
Hi
I am wondering if there is any way I can configure the proxy on nw_connection without using the system's global proxy.
Looks like NSUrl can do but not nw_connection no?
Hi.
In objective c API, any way to get a proxy setting for a specific interface or network services?
Hi.
I want to know if there is any way to set network proxy in global scope or at least I can set network proxy over the interface not listed as network services like
Display Ethernet
Belkin USB-C LAN
Wi-Fi
Thunderbolt Bridge
I searched online, but I see how to configure the proxy per network services only
Hi.
I want to automate test installation and uninstallation of network extension software.
However, it looks like whenever I install the gatekeeper and another pop-up always blocker for automation.
My app is fully notarized and stapled, but it seems like it is almost impossible to bypass those two pop up.
I want something similar funcitonality of windows Test Mode.
Hi.
My systemextensions hang when I do the system extensions list
and I believe it has something to do with a hang when I tried to open system preference security and privacy.
BigSur 11.6.5
I disabled sip hoping that might help, os the state of sip is not relevant here.
How do I recover from it?
I already tried recovery mode and pram reset etc. And even I reinstall bigsur which doesn't help.
Process: sysextd [8020]
Path: /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd
Identifier: sysextd
Version: ???
Code Type: X86-64 (Native)
Parent Process: launchd [1]
User ID: 0
Date/Time: 2022-04-24 08:19:55.3971 -0700
OS Version: macOS 11.6.5 (20G527)
Report Version: 12
Bridge OS Version: 6.4 (19P4242)
Anonymous UUID: C4E6D890-8EC9-1CEF-396D-A7FF30DCCC6D
Time Awake Since Boot: 6000 seconds
System Integrity Protection: disabled
Crashed Thread: 1 Dispatch queue: sysextd.extension_manager
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Exception Note: EXC_CORPSE_NOTIFY
Termination Reason: Namespace LIBSYSTEM, Code 2 Application Triggered Fault
Application Specific Information:
Thread 0:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x7fff2054a9de __ulock_wait + 10
1 libdispatch.dylib 0x7fff203d4fd7 _dlock_wait + 44
2 libdispatch.dylib 0x7fff203d526b _dispatch_group_wait_slow + 49
3 libdispatch.dylib 0x7fff203d7b2f dispatch_block_wait + 212
4 sysextd 0x108845f02 0x10883e000 + 32514
5 sysextd 0x108848e30 0x10883e000 + 44592
6 sysextd 0x1088485a9 0x10883e000 + 42409
7 libdyld.dylib 0x7fff20599f3d start + 1
Thread 1 Crashed:: Dispatch queue: sysextd.extension_manager
0 libsystem_kernel.dylib 0x7fff2056b55e __abort_with_payload + 10
1 libsystem_kernel.dylib 0x7fff2056cfc5 abort_with_payload_wrapper_internal + 80
2 libsystem_kernel.dylib 0x7fff2056cff7 abort_with_payload + 9
3 libsystem_c.dylib 0x7fff204d265f _os_crash_fmt.cold.1 + 55
4 libsystem_c.dylib 0x7fff20465165 _os_crash_fmt + 154
5 sysextd 0x108843520 0x10883e000 + 21792
6 sysextd 0x1088a7b34 0x10883e000 + 432948
7 sysextd 0x108865c6d 0x10883e000 + 162925
8 sysextd 0x108868538 0x10883e000 + 173368
9 sysextd 0x108845f49 0x10883e000 + 32585
10 libdispatch.dylib 0x7fff203e119e _dispatch_block_async_invoke2 + 83
11 libdispatch.dylib 0x7fff203d4806 _dispatch_client_callout + 8
12 libdispatch.dylib 0x7fff203da5ea _dispatch_lane_serial_drain + 606
13 libdispatch.dylib 0x7fff203db0ad _dispatch_lane_invoke + 366
14 libdispatch.dylib 0x7fff203e4c0d _dispatch_workloop_worker_thread + 811
15 libsystem_pthread.dylib 0x7fff2057b45d _pthread_wqthread + 314
16 libsystem_pthread.dylib 0x7fff2057a42f start_wqthread + 15
Thread 1 crashed with X86 Thread State (64-bit):
rax: 0x0000000002000209 rbx: 0x0000000000000000 rcx: 0x0000700000f21818 rdx: 0x0000700000f218d0
rdi: 0x0000000000000012 rsi: 0x0000000000000002 rbp: 0x0000700000f21860 rsp: 0x0000700000f21818
r8: 0x00007fc0b5704590 r9: 0x0000000000000000 r10: 0x000000000000005a r11: 0x0000000000000246
r12: 0x000000000000005a r13: 0x0000700000f218d0 r14: 0x0000000000000002 r15: 0x0000000000000012
rip: 0x00007fff2056b55e rfl: 0x0000000000000246 cr2: 0x000000010a9a4000
Logical CPU: 0
Error Code: 0x02000209
Trap Number: 133
Binary Images:
0x7fff20548000 - 0x7fff20577fff libsystem_kernel.dylib (*) <f0ea5d27-bbc5-3934-ab09-4a5301731981> /usr/lib/system/libsystem_kernel.dylib
0x7fff203d1000 - 0x7fff20415fff libdispatch.dylib (*) <ba7ad614-f2c2-3e89-9043-43dd548ae5b1> /usr/lib/system/libdispatch.dylib
0x10883e000 - 0x1088d1fff sysextd (*) <5c524909-d7cc-3531-8d1b-41017d247ac6> /System/Library/Frameworks/SystemExtensions.framework/Versions/A/Helpers/sysextd
0x7fff20584000 - 0x7fff205bffff libdyld.dylib (*) <5fbd0e1a-acce-36db-b11c-622f26c85132> /usr/lib/system/libdyld.dylib
0x7fff20453000 - 0x7fff204dbfff libsystem_c.dylib (*) <8447a4b8-0751-3ef1-aa9b-042e40efa07d> /usr/lib/system/libsystem_c.dylib
0x7fff20578000 - 0x7fff20583fff libsystem_pthread.dylib (*) <49670aec-4d5d-3383-906c-23f568351fcb> /usr/lib/system/libsystem_pthread.dylib
External Modification Summary:
Calls made by other processes targeting this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by this process:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
Calls made by all processes on this machine:
task_for_pid: 0
thread_create: 0
thread_set_state: 0
VM Region Summary:
ReadOnly portion of Libraries: Total=637.0M resident=0K(0%) swapped_out_or_unallocated=637.0M(100%)
Writable regions: Total=279.1M written=0K(0%) resident=0K(0%) swapped_out=0K(0%) unallocated=279.1M(100%)
VIRTUAL REGION
REGION TYPE SIZE COUNT (non-coalesced)
=========== ======= =======
Activity Tracing 256K 1
Dispatch continuations 96.0M 1
Kernel Alloc Once 8K 1
MALLOC 54.1M 18
MALLOC guard page 24K 5
MALLOC_MEDIUM (reserved) 120.0M 1 reserved VM address space (unallocated)
STACK GUARD 56.0M 2
Stack 8712K 2
VM_ALLOCATE 12K 3
__DATA 7022K 218
__DATA_CONST 8248K 140
__DATA_DIRTY 455K 87
__FONT_DATA 4K 1
__LINKEDIT 500.3M 5
__OBJC_RO 70.3M 1
__OBJC_RW 2496K 2
__TEXT 136.7M 218
__UNICODE 588K 1
mapped file 31.7M 2
shared memory 572K 5
=========== ======= =======
TOTAL 1.1G 714
TOTAL, minus reserved VM space 972.8M 714
Hi. I have a question from SimpleFirewall for inbound flow control.
let inboundNetworkRule = NENetworkRule(remoteNetwork: nil,
remotePrefix: 0,
localNetwork: localNetwork,
localPrefix: 0,
protocol: .TCP,
direction: .inbound)
In this example, I noticed that if I add a specific remoteNetwork instead of nil, the flow doesn't hit the handleNewFlow function at all.
In case of remoteNetwork: "0.0.0.0" and remotePrefix :0, all the inbound flow hit the handleNewFlow but in case of
remoteNetwork: "192.168.41.161" and remotePrefix: 32
won't work
Am I missing something or is it a limitation of the content filter provider?
Besides, is there any way we can catch flow by port ranges?
Hi.
I have a fresh Catalina with version 10.15.7
When I run
/Application/Safari.app/Contents/MacOS/Safari
From my user account terminal, no issue.
However, if I do
sudo /Application/Safari.app/Contents/MacOS/Safari
zsh: illegal hardware instruction /Application/Safari.app/Contents/MacOS/Safari error
What is wrong?
I don't see this issue with my BigSur though.
I read somewhere that any apps installed under
/Library/LaunchDaemons will be run systemwide
and any apps under /Library/LaunchAgents will be run per-user based.
I noticed that the network extension app (which contains one hosting app and one network extension) is installed under LaunchAgents, not under LaunchDaemon.
Does that mean any network extension required a user to be logged in?
Or will it be continued to work even after a user logged out?
Hi.
I have an archive package that contains multiple packages.
One of the pkg has a network extension app.
I normally notarized the top archive package and staple it.
However, when I tried to install pkg, I keep encountering gatekeeper.
I notarize and stape each of the pkg inside of the archives then
create achieve package again and notarize/staple it.
But again, I still see the same issues. Keeps seeing the gatekeeper.
Am I missing something?
Through Xcode, I was able to add content-filter-provider but I cannot find a way to add entitlement of content-filter-provider-systemextension.
Based on the documentation I need the content-filter-provider-systemextension entitlement with developer ID.
Hi.
I have a problem with launching a notarized app on Catalina.
Here is the dump of each command.
security cms -D -i ./foo.app/Contents/embedded.provisionprofile
<key>Entitlements</key>
<dict>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>app-proxy-provider</string>
<string>content-filter-provider</string>
<string>packet-tunnel-provider</string>
<string>dns-proxy</string>
<string>dns-settings</string>
</array>
<key>com.apple.application-identifier</key>
<string>69Q4FM6AL9.com.foo.foo-ven.filter</string>
<key>keychain-access-groups</key>
<array>
<string>69Q4FM6AL9.*</string>
</array>
<key>com.apple.developer.team-identifier</key>
<string>69Q4FM6AL9</string>
</dict>
<key>ExpirationDate</key>
<date>2023-03-17T17:17:19Z</date>
<key>Name</key>
<string>Mac Team Provisioning Profile: com.foo.foo-ven.filter</string>
<key>ProvisionedDevices</key>
<array>
<string>2B599D97-8FEF-5882-A14B-F1DF26B8D5D7</string>
<string>564D6794-6B4B-1320-D0BB-3E45014AF41C</string>
<string>564D82E8-7BE0-078D-5B15-BCA5E143D1C9</string>
<string>09782725-2944-5F56-BC1B-EE723365C425</string>
<string>564DCBDB-1406-AE9A-4ADE-F33897B06F77</string>
<string>87E06DD6-94FC-5268-91E6-35488508A0F7</string>
<string>271B625C-75A3-5435-8C15-2163E942A995</string>
</array>
<key>TeamIdentifier</key>
<array>
<string>69Q4FM6AL9</string>
</array>
<key>TeamName</key>
<string>foo, Inc.</string>
<key>TimeToLive</key>
<integer>365</integer>
<key>UUID</key>
<string>bd08aec0-c92e-420e-8414-a2191d228fdc</string>
<key>Version</key>
<integer>1</integer>
</dict>
codesign -d --entitlements :- ./foo.app
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>com.apple.application-identifier</key>
<string>69Q4FM6AL9.com.foo.foo-ven.filter</string>
<key>com.apple.developer.networking.networkextension</key>
<array>
<string>content-filter-provider</string>
</array>
<key>com.apple.developer.system-extension.install</key>
<true/>
<key>com.apple.developer.team-identifier</key>
<string>69Q4FM6AL9</string>
<key>com.apple.security.app-sandbox</key>
<true/>
<key>com.apple.security.application-groups</key>
<array>
<string>69Q4FM6AL9.group.com.foo.foo_ven.filter_data</string>
</array>
<key>com.apple.security.files.user-selected.read-only</key>
<true/>
</dict>
Can you help me out to figure out why my app is failing to run due to
removing service since it exited with consistent failure - OS_REASON_CODESIGNING | When validating /Applications/fooVenFilter.app/Contents/MacOS/fooVenFilter:
Code has restricted entitlements, but the validation of its code signature failed.
Unsatisfied Entitlements:
I have a flattened pkg file to notarize.
It is signed at the build time by the Developer ID installer.
Here is the output of a series of commands.
check notarization status
submit notarization and status
check tatus of notarization after notarization complete.
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs>spctl -a -vvv -t install ./foo.mac11.x86_64.pkg
./foo.mac11.x86_64.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: foo, Inc. (69Q4FM6AL9)
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs> xcrun notarytool submit ./foo.mac11.x86_64.pkg --keychain-profile "AC_PASSWORD" --wait
Conducting pre-submission checks for foo.mac11.x86_64.pkg and initiating connection to the Apple notary service...
Submission ID received
id: cc2d06be-fb07-4794-a92a-996ac07985fd
Successfully uploaded file
id: cc2d06be-fb07-4794-a92a-996ac07985fd
path: /Users/mtnview/Documents/shared_vm/dev/hawkeye/cmake-macos/pkgs/foo.mac11.x86_64.pkg
Waiting for processing to complete.
Current status: Accepted..........
Processing complete
id: cc2d06be-fb07-4794-a92a-996ac07985fd
status: Accepted
mtnview@C02YC2G0JGH5 ~/D/s/d/h/c/pkgs> spctl -a -vvv -t install ./foo.mac11.x86_64.pkg
./foo.mac11.x86_64.pkg: rejected
source=Unnotarized Developer ID
origin=Developer ID Installer: foo, Inc. (69Q4FM6AL9)
Apple says it is accepted, but the status still says unnotarized Devloerp ID and rejected?
Here is the log
"logFormatVersion": 1,
"jobId": "cc2d06be-fb07-4794-a92a-996ac07985fd",
"status": "Accepted",
"statusSummary": "Ready for distribution",
"statusCode": 0,
"archiveFilename": "foo.mac11.x86_64.pkg",
"uploadDate": "2022-03-17T13:35:11.753Z",
"sha256": "d5fa4e165df10b548f111a193fbbddceadcdc6a68307884dd5ae5f57a6bbe73a",
Hi.
I am trying to understand how NEFilterDataProvider works.
I see handleNewFlow handles newly created flow matches to the NEFilterRule that I set.
However, it doesn't look like it handles the preexisting connections.
The existing traffic doesn't go to any of the handlers so that there is no way to give a verdict.
How do I make preexisting connection not interrupted?