M1, macOS 11.1, SIP disabled, AMFI enabled:
I'm trying to bring up a DeveloperID NEDNSProxyProvider but it's failing to install the configuration:
Everything is code signed, I have the correct entitlements and the SYSEXT Is being loaded. It's this configure step that is failing. It fails with the same error as root. The app is not notarized (but SIP is disabled to bypass this). Is this the reason?
Here's the configuration load code:
I'm trying to bring up a DeveloperID NEDNSProxyProvider but it's failing to install the configuration:
Code Block default 13:30:51.215874-0600 Kringle No configurations exist default 13:30:51.221481-0600 Kringle Saving configuration Filter DNS requests. with existing signature (null) default 13:30:51.221569-0600 Kringle Adding F471D6C9-9794-46F3-8E57-91253EC91292 to the loaded configurations default 13:30:51.223047-0600 Kringle Clearing F471D6C9-9794-46F3-8E57-91253EC91292 from the loaded configurations error 13:30:51.223121-0600 Kringle Failed to save configuration Filter DNS requests.: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied} error 13:30:51.223181-0600 Kringle -[NEDNSProxyManager saveToPreferencesWithCompletionHandler:]_block_invoke_3: failed to save the new configuration: Error Domain=NEConfigurationErrorDomain Code=10 "permission denied" UserInfo={NSLocalizedDescription=permission denied} error 13:30:51.222955-0600 nehelper Kringle Failed to obtain authorization right for 3: no authorization provided
Everything is code signed, I have the correct entitlements and the SYSEXT Is being loaded. It's this configure step that is failing. It fails with the same error as root. The app is not notarized (but SIP is disabled to bypass this). Is this the reason?
Code Block * * 5JVV5R9542 org.bergstrand.kringle.daemon (1.0/1210.46.18) org.bergstrand.kringle.daemon[activated enabled]
Here's the configuration load code:
Code Block #define KRINGLE_DAEMON_ID "org.bergstrand.kringle.daemon" void configureDNSProxyExtension(dispatch_block_t callback) { NEDNSProxyManager* mgr = NEDNSProxyManager.sharedManager; [mgr loadFromPreferencesWithCompletionHandler:^(NSError* error) { if (error) { LOGE(@"Failed to load cfg: %@", error); callback(); return; } if (const BOOL enable = SNTConfigurator.configurator.enableDNSProxyExtension; enable != mgr.enabled) { // making a change -- callback on save completion if (enable) { mgr.localizedDescription = @"Filter DNS requests."; NEDNSProxyProviderProtocol* proto = [[NEDNSProxyProviderProtocol alloc] init]; proto.providerBundleIdentifier = @(KRINGLE_DAEMON_ID); mgr.providerProtocol = proto; mgr.enabled = YES; } else { mgr.enabled = NO; } [mgr saveToPreferencesWithCompletionHandler:^(NSError* error) { if (!error) { if (enable) { LOGD_MSG("Filter enabled."); } else { LOGD_MSG("Filter disabled."); } } else { LOGE(@"Failed to save %@ cfg: %@", enable ? @"enabled" : @"disabled", error); } callback(); }]; } else { callback(); // no change made } }]; } - (void)request:(OSSystemExtensionRequest *)request didFinishWithResult:(OSSystemExtensionRequestResult)result { NSLog(@"SystemExtension \"%@\" request did finish: %ld", request.identifier, (long)result); configureDNSProxyExtension(^{ exit(0); }); } req = [OSSystemExtensionRequest activationRequestForExtension:e queue:dispatch_get_main_queue()];