Simplefirewall example in content filter is not working as expected without UI

Question

Created Aug ’20

Replies 7

Boosts 0

Views 1.2k

Participants 3

Hi,
I modified content filter SimpleFirewall example as below to run build/Release//com.digitalguardian.dgsysext.systemextension/Contents/MacOS/com.digitalguardian.dgsysext on my terminal without using UI and tried to filter the data. But It is not working as expected & none of function have not invoked from FilterDataProvider

I have removed SimpleFirewall target & kept SimpleFirewall Extension target only.
I have removed 'IPCConnection.shared.startListener()' in main.swift

Even I have tried by adding enableFilterConfiguration() functionality which is available in ViewController.swift to the main.swift. But no use.

Any one pls help me on this.

Boost

Answer 1

nagendrar OP

Sep ’20

I have tried by adding following functionality in ViewController.swift file under Controller.swift file as below and I have called Controller.start() from main.swift. But I facing with error "Fatal error: Failed to get the contents of file://build/Release/com.test.sysext.systemextension//Contents/Library/SystemExtensions: The file “SystemExtensions” couldn’t be opened because there is no such file"

Declared extensionBundle: Bundle
Included func startFilter(_ sender: Any) as func start()'
Included func stopFilter(_ sender: Any) as func stop()
Included loadFilterConfiguration() and enableFilterConfiguration()
Included func request(_ request: OSSystemExtensionRequest, didFinishWithResult result: OSSystemExtensionRequest.Result) under extension Controller: OSSystemExtensionRequestDelegate

Any help please

0

Answer 2

nagendrar OP

Sep ’20

I want to remove UI and prompts from SimpleFirewall example. If I run SimpleFirewall application from command prompt, it should automatically get bundle identifier and by using this should create system activation request and go head to create filter configuration automatically and register with the system.

For this I have changed ViewController.swift. I have tried by removing changing 'NSViewController' extension to 'NSObject' , removed override functions, changed startFilter() from UI handler to normal function and I invoked startFilter() from main of SimpleFirewall target.

As per my expectation, it should submitRequest() and should get activation prompt to allow. But I unable to get activation prompt and haven't went calling "request()" method to enable the configuration.

Note: Here I am running from terminal

0

Answer 3

Systems Engineer OP

Apple

Sep ’20

One of the main purposes of having a UI based container app with your Network System Extension is to ensure that the user knows that they have consented to installing your system extension AND to make sure the user knows that they are allowing for a new Network Configuration to be installed that filters network traffic. These are the two major components that need to be handled in your UI based container app. From there, whatever else you choose to show in your container app is up to you.

I want to remove UI and prompts from SimpleFirewall example.

You will need to include enough UI at least to display these two prompts I have described above to the user so ensure that they are aware of what is happening. There are MDM payloads to handle auto-approving your Network System Extension installation, but if you are not using MDM, these prompts are required to get your System Extension off the ground.

From here I would go back and make sure you have at least handled the cases to install the Network System Extension and allow the new Network Configuration setup in your user interface. See these specific places in SimpleFirewall as a reference:

viewWillAppear() for initial loadFromPreferences().
startFilter() for OSSystemExtensionRequest.activationRequest().
enableFilterConfiguration() for loadFromPreferences() again, setup NEFilterManager, and saveToPreferences().

Make sure this flow is at least covered in how you have structured your new application, and you should be good to setup your new application logic on top of this.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 4

nagendrar OP

Sep ’20

Thanks for response. I have UI to allow/deny web traffic internally in my custom code. So I can not use existing UI.

I have modified as per your suggestions and working as expected if I run SimpleFirewall from Applications. But not working as expected if I run from other places.

If I run SimpleFirewall from applications I am getting message to allow system extension from Security Preferences and monitoring web data.

If I run SimpleFirewall from other place I am getting message like (null) Would you like to Filter Network Content to allow but not monitoring web data.

Am I need to any other changes as part of activation request submission. pls help me

0

Answer 5

Systems Engineer OP

Apple

Sep ’20

For testing or debugging outside the /Applications folder you will need to turn on developer mode. The container app is meant to be run from your /Applications folder. For more on this, see the Debugging and Testing System Extensions documentation here.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0

Answer 6

mhunt@mercadolibre.com OP

Dec ’20

@nagendrar Did you manage to get it running? Im having the same problem

0

Answer 7

Systems Engineer OP

Apple

Jan ’21

@mhunt@mercadolibre.com

Take a look at my previous posts below on this topic. A few of the main purposes here is to make sure that the user is aware and is consenting to the Network System Extension being installed. That is why the user interface is used during this process, to make sure the user prompts and allows the install.

Using MDM you can auto-allow the Network System Extension prompt, but not the prompt to allow the Network Configuration to be installed.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

0