Post

Replies

Boosts

Views

Activity

View only the network traffic that exits the mac
Hi, I'm using tcpdump and Wireshark to inspect the network packets that are received and sent from my mac. I'm inspecting the traffic from WiFi interface, but the problem is that the tools display also the traffic that don't exit the system, e.g. the ones that are blocked by the firewall. Is it possible to somehow see the traffic that for sure left the mac? e.g. make a UDP or TCP connection to a remote address, ADDR_1. start sending/receiving packets block all the traffic, received & sent, to the ADDR_1 using e.g. pf rules Wireshark & tcpdump will still show for some time(probably until TCP timeout) the outgoing traffic to ADDR_1, even if the packets are not leaving the mac because are blocked by the firewall. In this case, is it possible to filter out this packets so they are not displayed by the tools? Thanks
2
0
855
Aug ’23
kSecUseDataProtectionKeychain creates sometimes keys into icloud keychain
Hi, On my macos 13.4.1 if we use kSecUseDataProtectionKeychain to save passwords into the keychain, then the keys are create sometimes into login keychain, but sometimes into iCloud(or Local items when iCloud is disabled). If kSecUseDataProtectionKeychain is removed, then they are always into login. I've even tried to set kSecAttrSynchronizable to kCFBooleanFalse, but the behaviour is the same. Where should the keys be created when kSecUseDataProtectionKeychain is used? And does it mean that if the key is into the iClound keychain it will be sync on other devices, even if it doesn't have kSecAttrSynchronizable? Thanks
3
0
638
Jul ’23
Change includeAllNetworks from NetworkExtension while tunnel is running
Hi, I saw that almost each OS version, on ios and macos, handles differently changing includeAllNetworks while the tunnel is running. On some the entire OS reports no-net, while others, specially latest versions, handle this fine. Can includeAllNetworks be changed while the tunnel is running, or the tunnel must be stopped and restarted with the new value? e.g. the tunnel is started with it set to false, but later is changed to true into VPN profile. And on the same note, regarding setTunnelNetworkSettings, can this be called multiple times while the tunnel is running? For example if the VPN server IP changes. Because what I've saw each call to setTunnelNetworkSettings after VPN connected results in at least DNS leaks, because the routing table is recreated. Let me know if it is easier to track to create separate questions. Thanks
3
0
736
Jun ’23
Running daemon with custom group id
Hi, I need to run a daemon helper(launchd) with a custom group id. For this I specify into the plist the group ID and everything works fine. The problems appear if I delete the group ID. Then the executable will not start anymore and if I want to send an XPC message remoteObjectProxyWithErrorHandler it will not return any error and the completion blocks are never executed. What would be the correct way to check handle the above situations? recreate group if it was deleted detect that the XPC connection cannot be established because the helper doesn't start Thanks
0
0
349
Apr ’23
CFNetwork no internet after VPN connection
Hi, I've got into a very strange no internet situation on macos 13.3(others reproduced on others too, e.g. 10.15). After I've disconnected from VPN, connected with includeAllNetworks=true, CFNetwork returned no internet connection (error code: -1009). Some apps, e.g. Chrome, Firefox, ping are running, but other of apps e.g. Safari, AppStore, returns no internet. In logs I can see for cloudd is also not working: default 2023-04-12 06:57:50.383656 +0200 cloudd _CFNetworkIsConnectedToInternet returning 0, flagsValid: 1, flags: 0x0 error 2023-04-12 06:57:50.383688 +0200 cloudd Task <925C1A17-8E2C-44C3-A730-38C9BB556990>.<23> HTTP load failed, 0/0 bytes (error code: -1009 [1:50]) default 2023-04-12 06:57:50.383820 +0200 cloudd Task <925C1A17-8E2C-44C3-A730-38C9BB556990>.<23> summary for task failure {transaction_duration_ms=4, response_status=-1, connection=483, reused=1, request_start_ms=0, request_duration_ms=0, response_start_ms=0, response_duration_ms=0, request_bytes=0, response_bytes=0, cache_hit=false} error 2023-04-12 06:57:50.384151 +0200 cloudd Task <925C1A17-8E2C-44C3-A730-38C9BB556990>.<23> finished with error [-1009] Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x1256a2bd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (No network route), scoped, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1} default 2023-04-12 06:57:50.384856 +0200 cloudd NetworkingError, NSURLErrorDomain/-1009/NSUnderlyingError kCFErrorDomainCFNetwork/-1009 info 2023-04-12 06:57:50.384892 +0200 cloudd NetworkingError, NSURLErrorDomain/-1009/NSUnderlyingError, kCFErrorDomainCFNetwork/-1009/_NSURLErrorNWPathKey unsatisfied (No network route), scoped info 2023-04-12 06:57:50.384895 +0200 cloudd NetworkingError, NSURLErrorDomain/-1009/NSUnderlyingError, kCFErrorDomainCFNetwork/-1009/_kCFStreamErrorCodeKey 50 info 2023-04-12 06:57:50.384896 +0200 cloudd NetworkingError, NSURLErrorDomain/-1009/NSUnderlyingError, kCFErrorDomainCFNetwork/-1009/_kCFStreamErrorDomainKey 1 default 2023-04-12 06:57:50.385169 +0200 cloudd req: 31FF22D0-CBCF-42DB-A56A-DA5DDAA56477, "URLSession:task:didCompleteWithError: Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x1256a2bd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (No network route), scoped, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1}" default 2023-04-12 06:57:50.385276 +0200 cloudd req: 31FF22D0-CBCF-42DB-A56A-DA5DDAA56477, "_finishOnLifecycleQueueWithError:, asked to finish with error Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x1256a2bd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (No network route), scoped, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1}" info 2023-04-12 06:57:50.385375 +0200 cloudd req: 31FF22D0-CBCF-42DB-A56A-DA5DDAA56477, "_finishOnLifecycleQueueWithError:, did finish request <private> with error Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x1256a2bd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (No network route), scoped, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1}" default 2023-04-12 06:57:50.385704 +0200 cloudd Finished operation <CKDFetchRecordZoneChangesOperation: 0x126d11e80; qos=Utility, operationID=0A1CCE2A049C7D04, finishedChildOpIDs=[4C26CE3A2036F0C4], requestIDs=[31FF22D0-CBCF-42DB-A56A-DA5DDAA56477], operationGroupID=67FB07CBADD854C9, operationGroupName=CKSyncEngine-FetchChangesForZonesIfNecessary-Manual, stateFlags=executing, flags=allows-cellular|allows-expensive, runningFor=0.01, <private>> metrics=<private> with error: Error Domain=NSURLErrorDomain Code=-1009 UserInfo={_kCFStreamErrorCodeKey=50, NSUnderlyingError=0x1256a2bd0 {Error Domain=kCFErrorDomainCFNetwork Code=-1009 UserInfo={_NSURLErrorNWPathKey=unsatisfied (No network route), scoped, _kCFStreamErrorCodeKey=50, _kCFStreamErrorDomainKey=1}}, _NSURLErrorFailingURLSessionTaskErrorKey=<private>, _NSURLErrorRelatedURLSessionTaskErrorKey=<private>, NSLocalizedDescription=<private>, NSErrorFailingURLStringKey=<private>, NSErrorFailingURLKey=<private>, _kCFStreamErrorDomainKey=1} For some scutil returns that is is not reachable: # # scutil -d -v -r www.apple.com # create w/name <SCNetworkReachability 0x12ee04290 [0x1f80aa820]> {name = www.apple.com} __SCNetworkReachabilityGetFlagsFromPath(GetFlags), flags = 0x00000000, nw_path_status_unsatisfied flags = 0x00000000 (Not Reachable) release # # scutil -d -v -r 0.0.0.0 # create w/address <SCNetworkReachability 0x12e604290 [0x1f80aa820]> {default path} __SCNetworkReachabilityGetFlagsFromPath(GetFlags), flags = 0x00000000, nw_path_status_unsatisfied flags = 0x00000000 (Not Reachable) release # # scutil -d -v -r 169.254.0.0 # create w/address <SCNetworkReachability 0x131e04290 [0x1f80aa820]> {address = 169.254.0.0} __SCNetworkReachabilityGetFlagsFromPath(GetFlags), flags = 0x00020002, nw_path_status_satisfied, by address, direct flags = 0x00020002 (Reachable,Directly Reachable Address) release To fix this I've reconnected to VPN, and it worked. After disconnecting from it everything worked fine. Probably because VPN caused the DynamicStore changes and then the system reconfigured itself. Any suggestions on how to fix this? Thanks
1
0
693
Apr ’23
Create hidden users group from terminal
Hi, I need to create a new users group on macos (version 10.15 and up) from terminal or from swift. The group must be "hidden", not be displayed into System Preferences, similar to www group for example. I've found 2 ways to create a group from terminal: dscl and dseditgroup, but in both cases the created group is visible into the Users and Groups list from System Settings. Any suggestions how I can hide the group? Thanks
1
0
793
Mar ’23
Received a stop command from VPN with reason 1
I'm running an VPN app using NetworkExtension on macos 13.2.1. I'm able to connect to VPN server and run the tunnel. But if I change the VPN profile which triggers VPN reconnection (reasserting=true), while the System Settings app is open, the tunnel is stopped by the VPN.appex/Contents/MacOS/VPN app. The only "fix" for this is to close System Settings and then everything works fine. The logs contain lots of messages generated by VPN.appex e.g.: VPN current generation (7734) does not equal posted generation (7735), fetching a new index .... VPN Skipping configuration App1 because it is of the wrong type VPN Skipping configuration App2 because it is of the wrong type VPN Skipping configuration App2 because it is of the wrong type VPN loadAll complete but they are printed also when the tunnel is not stopped. Sometimes the tunnel is stopped and the logs contain Received a stop command from VPN[26144] with reason 1 ... Calling stopTunnelWithReason because: Stop command received The only fix found so far is to close System settings so VPN.appex is closed. Do you have any suggestions how to fix this? Thanks
0
0
584
Mar ’23
Sockets created in NE app are bound to utun interface on Ventura 13
First sorry for the long message, but I wanted to give as much info as possible. I have a VPN app that uses Network Extension and OpenVPN on Ventura (13.1). Before Ventura everything worked fine. I have a problem with sockets created from network extension. The sockets created into the extension are assigned on the tunnel interface (utun3 in my case). Scenario: Start the VPN (includeAllNetworks=true) => OS creates utun3 and enters into startTunnel from NE app On extension the app connects to VPN server. Call setTunnelNetworkSettings with the new configuration and when finished calls the completionBlock from startTunnel and reasseting = false After 2 seconds create a new socket (C API) into NE and connect => socket is bound to tunnel interface. # lsof output wifi ip=192.168.0.163 utun3 IP=10.7.1.4 8u IPv4 0xb394555904672715 0t0 TCP 192.168.0.163:60266->VPN_SERVER_IP (ESTABLISHED) 9u IPv4 0xb394555904673d35 0t0 TCP 10.7.1.4:60284->SOME_WEBSITE_IP:http (ESTABLISHED) From this point on, all the sockets created from the NE app are bounded to the tunnel, instead of wifi interface. The tunnel must be restarted to work again. What "helps" to fix this is to call with delay at least of 0.5 (less is not working) the completion block from startTunnel and reasseting=false, after VPN is connected, into the completion block from setTunnelNetworkSettings: // connection to VPN server is made setTunnelNetworkSettings(networkSettings) { error in DispatchQueue.main.asyncAfter(deadline: .now() + 0.5) { start_tunnel_completion_block() reasserting = false DispatchQueue.main.async { self.connectToSomeSocket() } } I've activated the extra loggins for necp, and I've saw that necp creates a new rule (if no delay is used) for the VPN app that has to bind to utun3. My system configuration is : wifi/en0 interface has index 15 utun3, created when the tunnel starts is index 22. in this case Network extension app, tunnel app, has PID 37567. Policy ID is 14569, which is created after the app calls the completion block from startTunnel and reasseting=false Necp log (not the same with the lsof from above): # While connection to VPN server, the socket matched other rules that have interface index 22 (en0) error 10:44:55.101389+0100 kernel necp_socket_find_policy_match_with_info_locked: DATA-TRACE <SOCKET>: EXAMINING - policy id=14557 session_order=2002 policy_order=10806 result=IP_TUNNEL (cond_policy_id 0) error 10:44:55.101392+0100 kernel necp_socket_check_policy: DATA-TRACE <SOCKET>: ------ matching <NECP_KERNEL_CONDITION_BOUND_INTERFACE> <value (15 / 0xF) (0 / 0x0) (0 / 0x0) input (15 / 0xF) (0 / 0x0) (0 / 0x0)> error 10:44:55.101397+0100 kernel necp_socket_check_policy: DATA-TRACE <SOCKET>: ------ matching <NECP_KERNEL_CONDITION_APP_ID> <value (66309 / 0x10305) (0 / 0x0) (0 / 0x0) input (66309 / 0x10305) (0 / 0x0) (0 / 0x0)> error 10:44:55.101401+0100 kernel necp_socket_check_policy: DATA-TRACE <SOCKET>: ------ matching <NECP_KERNEL_CONDITION_PID> <value (37567 / 0x92BF) (0 / 0x0) (0 / 0x0) input (37567 / 0x92BF) (0 / 0x0) (0 / 0x0)> error 10:44:55.101404+0100 kernel necp_socket_find_policy_match_with_info_locked: DATA-TRACE <SOCKET <private>>: MATCHED POLICY - proto 6 port <local 53511/53511 remote 1231/1231> <drop-all order 11001> <pid=37567 Application 66309 Real Application 66309 BoundInterface 15> (policy id=14557 session_order=2002 policy_order=10806 result=IP_TUNNEL) # after connected to VPN server and called the completion block from `startTunnel` and `reasseting=false` .... default 10:44:55.511326+0100 kernel necp_kernel_socket_policy_add: Added kernel policy: socket, id=14569, mask=4202 ... default 10:44:55.512624+0100 kernel necp_kernel_socket_policies_dump_all: 5. Policy ID: 14569 Process: nesessionm Order: 2002.10806 Mask: 4202 Result: IPTunnel (utun3) .... error 10:45:12.225306+0100 kernel necp_socket_find_policy_match_with_info_locked: DATA-TRACE <SOCKET>: EXAMINING - policy id=14569 session_order=2002 policy_order=10806 result=IP_TUNNEL (cond_policy_id 0) error 10:45:12.225308+0100 kernel necp_socket_check_policy: DATA-TRACE <SOCKET>: ------ matching <NECP_KERNEL_CONDITION_BOUND_INTERFACE> <value (22 / 0x16) (0 / 0x0) (0 / 0x0) input (22 / 0x16) (0 / 0x0) (0 / 0x0)> error 10:45:12.225312+0100 kernel necp_socket_check_policy: DATA-TRACE <SOCKET>: ------ matching <NECP_KERNEL_CONDITION_APP_ID> <value (66309 / 0x10305) (0 / 0x0) (0 / 0x0) input (66309 / 0x10305) (0 / 0x0) (0 / 0x0)> error 10:45:12.225316+0100 kernel necp_socket_check_policy: DATA-TRACE <SOCKET>: ------ matching <NECP_KERNEL_CONDITION_PID> <value (37567 / 0x92BF) (0 / 0x0) (0 / 0x0) input (37567 / 0x92BF) (0 / 0x0) (0 / 0x0)> error 10:45:12.225320+0100 kernel necp_socket_find_policy_match_with_info_locked: DATA-TRACE <SOCKET <private>>: MATCHED POLICY - proto 6 port <local 53537/53537 remote 1231/1231> <drop-all order 11001> <pid=37567 Application 66309 Real Application 66309 BoundInterface 22> (policy id=14569 session_order=2002 policy_order=10806 result=IP_TUNNEL) default 10:45:12.225327+0100 kernel necp_socket_find_policy_match: Socket Policy: <private> (BoundInterface 22 Proto 6) Policy 14569 Result 6 Parameter 22 Do you have any suggestions why would kernel bound sockets from NE app to the utun interface or how to future investigate this? And maybe any suggestions how to properly fix this, instead of adding delay to setTunnelNetworkSettings? Thanks
9
0
1.5k
Jan ’23
VPN not working after macos13 update with includeAllNetworks=true
Hi, I have a problem with the VPN profile on macos 13 with some custom VPN protocol. I've run the VPN application when I had macos 12.x. The application worked fine, created system configuration. Then I've updated the os to 13. After the update I'm not able to connect to VPN when includeAllNetworks=true. The defaultPath is always unsatisfied, so the tunnel is not able to connect to VPN server. The system routes seam to be ok using netstat and route. If VPN is started with includeAllNetworks=false it works. On logs I've saw that when includeAllNetworks=true, nesessionmanager prints the following errors: error 08:01:59.652919+0100 nesessionmanager -[NESMVPNSession setDefaultDropAll]: VPN addLocalNetworksExceptionWithOrder failed for Control priority error 08:01:59.653105+0100 nesessionmanager VPN-includeAllNetworks evaluateConfiguration failed error 08:01:59.653479+0100 nesessionmanager -[NESMVPNSession setDefaultDropAll]: VPN addLocalNetworksExceptionWithOrder failed for HighRestricted priority error 08:01:59.653799+0100 nesessionmanager VPN-includeAllNetworks evaluateConfiguration (High) failed error 08:01:59.653894+0100 nesessionmanager VPN Could not apply control policies error 08:01:59.653908+0100 nesessionmanager VPN Could not apply High control policies .... info 08:01:59.774079+0100 nesessionmanager nw_path_necp_update_evaluator_block_invoke [46BD53DF-BA48-4059-9DE6-9A2F61E97B1E <NULL> generic, attribution: developer] path: unsatisfied (Path was denied by NECP policy), interface: en0[802.11], ipv4, ipv6 ..... default 08:01:59.774149+0100 nesessionmanager Changing primary wifi interface: en0 => (null) default 08:01:59.774182+0100 nesessionmanager Changing primary physical interface: en0 => (null) If I delete the VPN profiles from system and the app recreates them, everything works also for includeAllNetworks=true. Since no error is received, do you have any suggestions how to fix or detect this? Thanks
1
0
1.2k
Dec ’22
Data Protection Entitlement and open files
Hi, I have a question related to Data Protection Entitlement. I have an app with com.apple.developer.default-data-protection = NSFileProtectionComplete. There is a timer which writes data into a file using the C API (open &amp; write). But there are 2 different behaviours: If the app doesn't have run in background When device is locked, the timer is paused and no more data is written. When the device is unlocked, timer is resumed and continues to write successfully into the file (the file descriptor is still valid). If the app runs in background After locking the device, timer still writes for 10 seconds and then fails to write. When the device is unlocked, it is still not able to write into the file (file descriptor is still invalid). For the file NSFileManager.attributesOfItemAtPath returns: NSFileProtectionKey = NSFileProtectionComplete. I suspect that in the 2. case the encryption removes the access to the file, and that's why the FD is invalid. But for case 1. Why is the file descriptor still valid after encrypt/decrypt, does the OS reopens the files after decrypt? Should I always reopen all the files after applicationProtectedDataDidBecomeAvailable() or I can assume FD will be valid and don't need to be reopen? Thanks, Marius
2
0
863
Oct ’22
Get token audit for a NSXPCConnection
Hi, I have a question regarding securing XPC communication. I'm trying to get on the server side the process audit token for the connecting client. I've saw NSXPCConnection has a member called auditSessionIdentifier which I saw it is always returning same number for different connections. What does this represent, can it be used to identify the client connecting process? NSXPCConnection has auditToken, which is what I need, but it is a private property. I would use this, but I'm not sure if this will not result in app being rejected by Apple. Is anyone using it and had the app rejected/accepted? NSXPCConnection has processIdentifier but this alone it is kind of useless. But I was thinking to combine this with task_extmod_info (detect process changes) and audit token with task_name_for_pid. Any other suggestions to get the client process audit token based on NSXPCConnection? Thanks
5
0
2.1k
Oct ’22
XPC execute response block when one side died
Hi, I have a problem with XPC communication, maybe someone has a suggestion how to fix it. So I have 2 applications that communicate over XPC (NSXPCConnection). One app (sender) calls a method that ends up on the other side(receiver). The method has a completion block to get the response back. The problem is that the receiver crashes while executing the method, before sending back a response. The invalidationHandler is called, because the connection died. My question is: is there a way to make XPC execute the response block, with error or something? If not, any suggestions how to handle this case, to "fake" call the response block for sender? Thanks
3
0
1.3k
Sep ’22
Why use serial queue over NSLock or os_unfair_lock?
I have the following 2 thread safe wrappers implementation for a boolean: 1 - Using NSLock class ThreadSafeBool { private let lock = NSLock() private var wrappedValue: Bool var value: Bool { get { lock.lock() defer { lock.unlock() } return wrappedValue } set { lock.lock() defer { lock.unlock() } wrappedValue = newValue } } init(_ initialValue: Bool) { wrappedValue = initialValue } } 2 - Using DispatchQueue and sync class ThreadSafeBoolQueue { private let queue = DispatchQueue(label: "my.queue") private var wrappedValue: Bool var value: Bool { get { self.queue.sync { return wrappedValue } } set { self.queue.sync { wrappedValue = newValue } } } init(_ initialValue: Bool) { wrappedValue = initialValue } } Even though the NSLock it is much more faster then the sync queues, os_unfair_lock is even faster. Could someone please let me know why in lots of example is prefer the second locking mode, including Apple presentation? PS: Please keep in mind that the classes are just examples, so the main question is why queue over NSLock/os_unfair_lock? Thank you very much
2
2
3.3k
Aug ’22