Raw Socket: Operation not permitted

I understand that raw sockets require root privileges. I'm calling this code from my network extension already. Is there anything else I have to do to get a raw socket working?

You are most likely running into a Sandbox issue when trying to use raw sockets from the Network System Extension and that is why you are seeing the "Operation not permitted" error. Also, keep in mind here that using a Sandbox is a requirement in a Network System Extension whether you are deploying to the App Stor or deploying with Developer ID.

Is there a better way I should resend a packet that I've intercepted in my packet filter?

The packetHandler is provided as a mechanism to analyze packets to provide a NEFilterPacketProviderVerdict. This handler is not meant to tag or alter packets, but simply to be used as a packetFiltering mechanism to make decisions upon.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

We were also looking at the documentation for Packet Tunnel Provider but that seems to be specific to IPSec tunnel mode. Is there support for IPSec transport mode?

Our thoughts were that with the filter, we could delay a packet selectively if it matched certain criteria, setup an IPSec connection in transport mode, then allow the packet. We ran into an issue where our delayed packet would pick up right where it left off and traverse without an ESP frame. That's when we came up with the idea to send a copy of that one packet back through the stack.

We were also looking at the documentation for Packet Tunnel Provider but that seems to be specific to IPSec tunnel mode. Is there support for IPSec transport mode?

When using a Packet Tunnel Provider and using readPacket* and writePacket* you can setup your own custom transport with a remote server.

We ran into an issue where our delayed packet would pick up right where it left off and traverse without an ESP frame. That's when we came up with the idea to send a copy of that one packet back through the stack.

As mentioned, the packetHandler is just meant to provide a flow verdict. It is not meant to a handler that allow your Network Extension to alter and diverting packets as they pass through the system.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

Hi Matt,

Also, keep in mind here that using a Sandbox is a requirement in a Network System Extension whether you are deploying to the App Stor or deploying with Developer ID. 

Can you please elaborate on the deploying with "Developer ID" problem you foresee when using Network System Extension without sandbox? I have tried to notarize such an application for MacOS and it worked fine.

Does Apple have any plans to enforce this limitation for MacOS in the future?

Thank you in advance, Alex

Hi,

Is there a way to open raw socket when implementing a network extension?

Can the NWParameters.init(customIPProtocolNumber: ) setup can be used in some way to capture well known protocols, such as gre?

Thanks, Igal

@Zilberkant

Does Apple have any plans to enforce this limitation for MacOS in the future?

I cannot speak about plans for the future.

Regarding:

Can you please elaborate on the deploying with "Developer ID" problem you foresee when using Network System Extension without sandbox?

Since Network Extensions were designed to run in the Sandbox there could be strange issues if they were built and ran without one. Possibly issues that you may run into is accessing resources outside your Sandbox without entitlements to do so. You may run into these issues because it is expected that these extensions be run within a Sandbox.

Also note that a Sandbox is not just about restricting your access to other resources on the system, it's also about protecting your resources as well.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

@Igal

Is there a way to open raw socket when implementing a network extension?

You can try to do so but I suspect you will run into a permission issue like what is being described above.

Can the NWParameters.init(customIPProtocolNumber: ) setup can be used in some way to capture well known protocols, such as gre?

I have not tried this. While I have seen other protocol's being defined here in customIPProtocolNumber, I've not see GRE.

On the socket side of the equation, I actually have tried running the following in a Packet Tunnel Provider:

sockd = socket(AF_INET, SOCK_RAW, IPPROTO_GRE);
if (sockd == -1) {
	perror("Socket creation error");
}

// Socket creation error: Operation not permitted
// Program ended with exit code: 0

And this was due to the Sandbox.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com

@Igal, @UnisysDavidMcLaren I am also trying to open raw socket in PacketTunnelProvider systemextension and running into same issue Operation not permitted. please let me know if you guys succeeded on this?

Some factoids:

• System extensions run as root.

• Network Extension system extensions must be sandboxed.

• Whether the container app must be sandboxed depends on the deployment channel. The Mac App Store requires that all code be sandboxed. Independent distribution using Developer ID signing does not.

I think the issue here is that the sandbox is blocking the raw socket. This isn’t a huge surprise because raw sockets usually require root privileges and normal sandboxed apps can’t escalate privileges. NE system extensions are a weird case here.

When you attempt to open a raw socket that should trigger a sandbox violation report. Does it? If so, please post it here? It’ll be big, so post it as a text attachment [1].

For advice on how to view sandbox violation reports, see Viewing Sandbox Violation Reports.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Similar to the instructions in Posting a Crash Report.

Hi @eskimo, You can see below console SS my app com.xyz.abc.networkextension not available.

I was hoping to see the full violation report. If you click on one of those log entries, you should see a whole bunch of text. Copy that out into a .txt file and then post it as an attachment.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"