Transparent proxy provider and multiple users

App & System Services Networking
kithrup OP
Created Sep ’22
Replies 3
Boosts 0
Views 580
Participants 2

This is somewhat to my question at On reboot, two instances of faceless app - but slightly different focus.

This is my understanding of how the system works, and please correct me if I'm wrong:

  • A network extension can only be loaded by an application
  • That application must contain the extension (in Contents/Library/SystemExtensions)
  • Only the application instance that loads an extension can get VPN notifications (eg, NEVPNStatusDidChangeNotification)
  • There does not appear to be a way to get the version of installed network extensions programmatically?
  • When a second user logs in, and runs the containing app, and requests loading the extension, it does the normal replacement request.

Given that... how is it supposed to handle multiple users (via Fast User Switching)?

Replies  3
Boosts  0
Views  580
Participants  2
DTS Engineer OP
Apple
Sep ’22

There does not appear to be a way to get the version of installed network extensions programmatically?

That’s not correct. The container app can get information about an installed sysex using propertiesRequest(forExtensionWithIdentifier:queue:).

Additionally, both the sysex and the NE configuration are system-wide things, not per user. If user A installs these and then user B runs the app, it’ll see them.

Finally, NE sysexes can provide an XPC named endpoint using NEMachServiceName. That’s registered in the global Mach boottrap namespace, so any process on the system can connect to it (modulo sandbox restrictions).

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

0
kithrup OP
Sep ’22

That’s not correct. The container app can get information about an installed sysex using propertiesRequest(forExtensionWithIdentifier:queue:).

I thought that only worked for the particular process that loaded it -- but I haven't played with that too much.

Additionally, both the sysex and the NE configuration are system-wide things, not per user. If user A installs these and then user B runs the app, it’ll see them.

But will both instances of the containing app be able to get the VPN notifications? Or only the process that actually loads it? I thought I ran into that not working, but I think I was doing something very wrong at the time to begin with.

Finally, NE sysexes can provide an XPC named endpoint using NEMachServiceName. That’s registered in the global Mach boottrap namespace, so any process on the system can connect to it (modulo sandbox restrictions).

Yes, we have multiple processes doing that, and yes, I am going to add a call to get the version from the extension.

Thanks 😄

0
kithrup OP
Sep ’22

Oh, alas, propertiesRequest(forExtensionWithIdentifier:queue:) is only available in macOS 12 and later -- we're still supporting 11. Or I think so, anyway; I'll have to see if we've updated our requirements.

0
Transparent proxy provider and multiple users
First post date Last post date
 
 
Q