NWListener fails to start within a CoreMediaIO Virtual Camera Extension

Question

Created May ’22

Replies 8

Boosts 0

Views 1.6k

Participants 2

Hi. Our NWListener runs fine and accepts connections successfully when it's run in a standalone app, however, the same code fails when moved into the System Extension code. Specifically, we get the error: The operation couldn’t be completed. (Network.NWError error 0.)

...
let listener = try NWListener(using: params!)
listener.service = NWListener.Service(name: "service",
                                   type: "_service._tcp")

listener.stateUpdateHandler = { newState in
   switch newState {
      case .ready:
         if let port = listener.port {
            self.receiveIncomingDataOnConnection()
         }
      case .failed(let error):
         listener.cancel()
         print("Listener - failed with %{public}@, restarting", error.localizedDescription)
         // Getting the error ^
       default:
          break
             }
 }
...

We have checked that the App Sandbox permissions for inbound and outbound connections are set in the entitlements file.

At this point, we are stumped at what's limiting our listener when it's running in the extension.

Thanks!

Answered by DTS Engineer in 712769022

there was no PlugIns folder

Oh, yeah, sorry about that, I forgot this is a sysex.

Which is what we'd expect to see I'd guess?

Yep.

I ran this past some folks here and they’re not aware of us deliberately blocking this. Given that, I encourage you to file a bug about this. Please post your bug number, just for the record.

Is your sysex able to make outgoing network connections?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Boost

Answer 1

DTS Engineer OP

Apple

May ’22

It’s likely that something sandbox-y is preventing this. Do you see a sandbox violation report?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 2

mentarus OP

May ’22

Thanks for the tip! I've looked for violation reports as per the thread but see no violation reports. Out of curiosity I disabled the incoming and outgoing permissions on the extension target and there were still no violation reports but the NWListener fails in the same way. Could there be other restrictions on the CMIO Virtual Camera Extension that could cause the failure?

0

Answer 3

DTS Engineer OP

Apple

May ’22

Could there be other restrictions on the CMIO Virtual Camera Extension that could cause the failure?

Yes, but I’ve no idea what those might be.

Just for testing purposes, if you use BSD Sockets to create a listener, does that work?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 4

mentarus OP

May ’22

Added a socket listener as per this guide: https://rderik.com/blog/xpc-services-on-macos-apps-using-swift/ That does trip Sandboxd with:

Sandbox: com.company.app(326) deny(1) network-bind:1234
Violation: deny(1) network-bind:1234

Went back to NWListener and looked for similar sandboxd violations and I managed to dig them out with the log show tool. I am indeed getting

[com.apple.sandbox.reporting:violation] Sandbox: com.company.product(328) deny(1) network-bind*:62406
Violation:       deny(1) network-bind*:62406

I don't understand why that would happen though given the entitlements on the file are set up as:

<dict>
    <key>com.apple.developer.networking.custom-protocol</key>
    <true/>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.application-groups</key>
    <array>
        <string>$(TeamIdentifierPrefix)</string>
    </array>
    <key>com.apple.security.network.client</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
</dict>

Any ideas?

0

Answer 5

DTS Engineer OP

Apple

May ’22

That does trip sandboxd with

OK.

I don't understand why that would happen though given the entitlements

There are two possibilities here:

The entitlements you posted are from your .entitlements file and it’s possible that these are not being correctly built in to your code signature. Build your app and then run the following against the appex nested inside your app:
```
% codesign -d --entitlements - /path/to/your.app/Contents/PlugIns/your.appex
```
What do you see?
App extensions typically run in some sort of customised sandbox, and it’s possible that this blocking network servers explicitly.

Honestly, I suspect that the second possibility, but I want to rule out the first before going further.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 6

mentarus OP

May ’22

Okies, there was no PlugIns folder so I ran it against Library/SystemExtensions/your.appex/Contents/MacOS/your.appex instead and am getting:

Executable=/Users/user/Library/Developer/Xcode/DerivedData/yourapp-btjjarujuhphwdbebkvxlnabcbot/Build/Products/Debug/yourapp.app/Contents/Library/SystemExtensions/com.team.yourapp.camera-extension.systemextension/Contents/MacOS/com.team.yourapp.camera-extension
[Dict]
    [Key] com.apple.developer.networking.custom-protocol
    [Value]
        [Bool] true
    [Key] com.apple.security.app-sandbox
    [Value]
        [Bool] true
    [Key] com.apple.security.application-groups
    [Value]
        [Array]
            [String] TEAM-IDENTIFIER.
    [Key] com.apple.security.get-task-allow
    [Value]
        [Bool] true
    [Key] com.apple.security.network.client
    [Value]
        [Bool] true
    [Key] com.apple.security.network.server
    [Value]
        [Bool] true

Which is what we'd expect to see I'd guess? Making your customized sandbox possibility more likely.

Thanks!

0

Answer 7

DTS Engineer OP

Apple

May ’22

Accepted Answer

there was no PlugIns folder

Oh, yeah, sorry about that, I forgot this is a sysex.

Which is what we'd expect to see I'd guess?

Yep.

I ran this past some folks here and they’re not aware of us deliberately blocking this. Given that, I encourage you to file a bug about this. Please post your bug number, just for the record.

Is your sysex able to make outgoing network connections?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0

Answer 8

mentarus OP

May ’22

Reversed our apps so that the extension initiates the connection and iPhone listens, and that works!!

As per your instructions, I filed a bug report with id: FB10014566

Thanks for your help getting this far Eskimo!

1