In our NETransparentProxyProvider we use SecCodeCopyGuestWithAttributes to get information about the flow as suggested here here. We have faced an unexpected problem with this approach.
Apparently, SecCodeCopyGuestWithAttributes has to deal with sandbox when working with the attributes of other programs. That’s OK when programs are located in /Applications. But some programs including built-in ones like /usr/libexec/routined are in other locations. So, when SecCodeCopyGuestWithAttributes is called for them, sandbox just kills the network extension completely!
2021-06-04 09:10:47.927841+0800 0x4cd Error 0x0 147 0 sandboxd: [com.apple.sandbox.reporting:violation] Sandbox: com.initex.proxi(897) deny(1) file-read-data /usr/libexec/routined Violation: deny(1) file-read-data /usr/libexec/routine
Is there a way to fix this?
For obvious reasons, the com.apple.security.temporary-exception.files.absolute-path.read-only trick does not work because the path is not known.
I think, this also creates a security risk. We saw a case when a program with a non-standard executable path just stopped network extension of a well known antivirus!