Network Extensions are not coming up on Big Sur

Hi

The same behaviour exist on latest Big Sur beta.

I am developing a Transparent and DNS Network System Extension on macOS Big Sur.
I request to help me solving Network System Extension initialization problem. These extensions are in the Single App.

My Network extensions do not come up the first time of UI. UI needs to be restarted again i.e. OSSystemExtensionRequestDelegate:activationRequestForExtension should be reinitiated again.

Console log shows during initialization:

  1. Failed to save configuration myext Client DNS Proxy: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied}

Application logs show:

App Proxy Logs:
AppProxyManager Failed to save configurations, error: NEVPNErrorDomain / 5

DNS Proxy Application Logs:
dnsproxymgr Failed to save configurations, error: NEConfigurationErrorDomain 10

App Proxy gets failed to start:
Application logs:
AppProxyManager Failed to start App Prxoy Description The operation couldn’t be completed. (NEVPNErrorDomain error 1.) Reason (null) Recovery suggestion (null)

sudo systemextensionsctl list output shows extensions are enabled.

  • -- com.apple.systemextension.networkextension

enabled active teamID bundleID (version) name [state]

  • * <<team id>> com.myext.client.myext-Client.myextClientMacAppProxy (1.0/1) myextMacAppProxy [activated enabled]

  • * <<team id>> com.myext.client.myext-Client.myextClientMacDNSProxy (1.0/1) myextMacDNSProxy [activated enabled]

Activity Monitor shows, App Proxy and DNS Proxy System extensions are running.

System Preferences Security and Privacy shows two entries after clicking on "Allow" button.

Could you please recommend, how to debug it?

Thanks
Up vote post of anandfrombangalore Down vote post of anandfrombangalore
1.1k views
Posted by
anandfrombangalore
Reply
Add a Comment

Replies

I was able to test out installing / removing / installing a Transparent Proxy on macOS Big Sur Beta 5 and did not run into any permission or configuration issues. If possible try testing this on a VM, possibly there was some looming permission issues that were causing problems from a previous install/removal.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment
Same reply was posted twice inadvertently, therefore removed it.
Posted by
anandfrombangalore
Up vote reply of anandfrombangalore Down vote reply of anandfrombangalore
Add a Comment
Thanks Matt!

Please let me add few more details, below is my code.

Code Block 
- (void)configureDNSProxy {
    ns_info(module, "DNS proxy configurations will be loaded");
    [[NEDNSProxyManager sharedManager]
     loadFromPreferencesWithCompletionHandler:^(NSError * __nullable loadError) {
      if (loadError){
        return;
      }
      NEDNSProxyProviderProtocol *tunnelProtocol = [[NEDNSProxyProviderProtocol alloc] init];
      [tunnelProtocol setServerAddress:@"DNS Gateway"];
      tunnelProtocol.providerBundleIdentifier = dnsProxyBundleID_;
      [NEDNSProxyManager sharedManager].enabled = true;
      [NEDNSProxyManager sharedManager].localizedDescription = @"DNS Proxy";
      [NEDNSProxyManager sharedManager].providerProtocol = tunnelProtocol;
      [[NEDNSProxyManager sharedManager] saveToPreferencesWithCompletionHandler:^(NSError * _Nullable savePrefError) {
        if (savePrefError) {
          return;
        }
      }];
    }];
}
- (OSSystemExtensionReplacementAction)request:(OSSystemExtensionRequest *)request
                                    actionForReplacingExtension:(OSSystemExtensionProperties *)existing
                                withExtension:(OSSystemExtensionProperties *)ext {
    return OSSystemExtensionReplacementActionReplace;
}
- (void)requestNeedsUserApproval:(OSSystemExtensionRequest *)request {
}
- (void)request:(OSSystemExtensionRequest *)request
didFailWithError:(NSError *)error {
}
- (void)request:(OSSystemExtensionRequest *)request
didFinishWithResult:(OSSystemExtensionRequestResult)result { 
 [self configureDNSProxy];
}
-(void) initializeDNSProxy {
        NSString *extensionIdentifier = dnsProxyBundleID_;
        dispatch_queue_t queue = dispatch_get_global_queue(DISPATCH_QUEUE_PRIORITY_HIGH, 0);         OSSystemExtensionRequest *req = [OSSystemExtensionRequest activationRequestForExtension:extensionIdentifier
                                                                                          queue:queue];
        req.delegate = self;
        [[OSSystemExtensionManager sharedManager] submitRequest:req];
}

It is called [myobj initializeDNSProxy];

Is it correct code?

Thanks
Posted by
anandfrombangalore
Up vote reply of anandfrombangalore Down vote reply of anandfrombangalore
Add a Comment
I did not test your code, but looking through it I would suggest trying to send your OSSystemExtensionRequest updates to the main queue. That way the global queue is not trying to configure and install your NEDNSProxyManager.

@param queue The dispatch queue to use when calling delegate methods.

Something like:
Code Block objective-c
OSSystemExtensionRequest * request = [OSSystemExtensionRequest activationRequestForExtension:extensionIdentifier queue:dispatch_get_main_queue()];
request.delegate = self;
[OSSystemExtensionManager.sharedManager submitRequest:request];


Should get you started. Test that on a clean VM and let me know how that goes.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment