Hi All,Starting from the SimpleFirewall Apple Network Extension example I managed to create an app with an Endpoint Security extension.From the console I can see that the app is starting correctly and the System Extension is registered and loaded correctly by Sysextd:attempting to realize extension with identifier com.***.***.endpointBut then the system extensions fails with:System extension request failed: Invalid extension configuration in Info.plist and/or entitlementsThat is the same error I can see settings a breakpoint in: func request(_ request: OSSystemExtensionRequest, didFailWithError error: Error)Note 1: My provisioning profile doesn't contain yet a com.apple.developer.endpoint-security.client (requested but not yet approved) but I removed it from the .entitlements file and added to the system extension info.plist, for development "should" be ok right?Note 2: Keeping the entitlement in the .entitlements file but not having it in the Provisioning Profile obviously causes an error:com.***.zuul: Unsatisfied entitlements: com.apple.developer.endpoint-security.clientWhat am I missing?I noticed that the SimpleFirewall has a special configuration in the info.plist<key>com.apple.developer.networking.networkextension</key>
<array>
<string>content-filter-provider</string>
</array>do I need to add something similar to the Endpoint Security?
Suddenly between 07/March/22 and 11/March/22 my entire team stopped to be able to create a non-crashing build for our macOS app.
The project builds correctly but the app crashes with:
dyld: Library not loaded: @rpath/[redacted]/Versions/A/[redacted]
Referenced from: /Users/[redacted]/Library/Developer/Xcode/DerivedData/[redacted]-afjccazdqnhlzphdcplakowpjfyi/Build/Products/Release/MyApp.app/Contents/MacOS/MyApp
Reason: no suitable image found. Did find:
/Users/[redacted]/Library/Developer/Xcode/DerivedData/[redacted]-afjccazdqnhlzphdcplakowpjfyi/Build/Products/Release/MyApp.app/Contents/MacOS/../Frameworks/[redacted].framework/Versions/A/[redacted]: code signature invalid for '/Users/[redacted]/Library/Developer/Xcode/DerivedData/[redacted]-afjccazdqnhlzphdcplakowpjfyi/Build/Products/Release/MyApp.app/Contents/MacOS/../Frameworks/[redacted].framework/Versions/A/[redacted]'
Summary:
no suitable image found. and code signature invalid
In console we see:
error 12:33:50.270929+0000 taskgated-helper ConfigurationProfiles com.apple.ManagedClient ProvisioningProfiles Disallowing org.cocoapods.[redacted] because no eligible provisioning profiles found
error 12:33:50.271244+0000 amfid amfid com.apple.MobileFileIntegrity amfid CPValidateProvisioningDictionariesExtViaBridge returned invalid result: {
success = 0;
}
This is the signature pf the above framework from inside the application bundle:
The framework crashing is a Pod and our project has a mix of pods and swift packages.
We tried to build several older commits thinking we screwed up something in the project but the result is not changing, so seems obvious the issue is in the environment.
We are using Xcode 13.2.1 on macOS 11.6.5 (yeah, IT is blocking macOS 12 upgrade)
We cleaned the project, re-downloaded all certificates and changed our signing from manual to automatic, just for testing. No changes.
I'm aware of changes in certificates and some known problems on Xcode <13.4 but the timing doesn't match exactly.
Any clue?
Additional info:
This is just one of the components crashing, other binaries are crashing for the same reason but different frameworks.
This is a comparison between the framework with the invalid signature and the same framework from an old working build
Working:
sudo codesign -dv [redacted].framework --extract-certificates
Password:
Executable=/Applications/[redacted].app/Contents/Frameworks/[redacted]g.framework/Versions/Current/[redacted]
Identifier=org.cocoapods.[redacted]
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20400 size=1092 flags=0x0(none) hashes=27+3 location=embedded
Signature size=8960
Timestamp=1 Feb 2022 at 13:00:40
Info.plist entries=20
TeamIdentifier=[redacted]
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=192
Crashing:
sudo codesign -dv [redacted].framework --extract-certificates
Password:
Executable=/Users/[redacted]/Developer/[redacted]/Builds/Release/InstallerComponents.dst/Applications/[redacted].app/Contents/Frameworks/[redacted].framework/Versions/Current/[redacted]
Identifier=org.cocoapods.[redacted]
Format=bundle with Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=1164 flags=0x10000(runtime) hashes=27+5 location=embedded
Signature size=8961
Timestamp=15 Mar 2022 at 11:15:56
Info.plist entries=20
TeamIdentifier=[redacted]
Runtime Version=12.1.0
Sealed Resources version=2 rules=13 files=1
Internal requirements count=1 size=224
Post not yet marked as solved
Hi All,
I have a NEDNSProxyProvider System Extension and my logs are full of sandbox violations, all like:
error 2021-09-21 10:42:30.557390 -0400 sandboxd com.apple.sandbox.reporting violation System Policy: com.myCompany.mac(640) deny(1) system-privilege 10006
Violation: deny(1) system-privilege 10006
Process: com.myCompany.mac [640]
Path: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy
Load Address: 0x1028a8000
Identifier: com.myCompany.macos.netext.dnsproxy
Version: 78 (2.0.0)
Code Type: arm64 (Native)
Parent Process: launchd [1]
Responsible: /Library/SystemExtensions/4375ED6E-69A9-4897-8B39-4252AD9843AD/com.myCompany.macos.netext.dnsproxy.systemextension/Contents/MacOS/com.myCompany.macos.netext.dnsproxy
User ID: 0
Date/Time: 2021-09-21 10:42:30.522 EDT
OS Version: macOS 11.6 (20G165)
Report Version: 8
MetaData: {"uid":0,"summary":"deny(1) system-privilege 10006","errno":1,"hardware":"J293","operation":"system-privilege","apple-internal":false,"pid":640,"platform-binary":false,"primary-filter":"privilege-id","privilege-id":"PRIV_NET_PRIVILEGED_NECP_MATCH","process":"com.myCompany.mac","profile-flags":0,"target":"PRIV_NET_PRIVILEGED_NECP_MATCH","build":"macOS 11.6 (20G165)","flags":5,"team-id":"7NM7G573E4","platform-policy":true,"profile":"platform","responsible-process-path":"\/Library\/SystemExtensions\/4375ED6E-69A9-4897-8B39-4252AD9843AD\/com.myCompany.macos.netext.dnsproxy.systemextension\/Contents\/MacOS\/com.myCompany.macos.netext.dnsproxy","signing-id":"com.myCompany.macos.netext.dnsproxy","platform_binary":"no","action":"deny","process-path":"\/Library\/SystemExtensions\/4375ED6E-69A9-4897-8B39-4252AD9843AD\/com.myCompany.macos.netext.dnsproxy.systemextension\/Contents\/MacOS\/com.myCompany.macos.netext.dnsproxy","normalized_target":["PRIV_NET_PRIVILEGED_NECP_MATCH"],"primary-filter-value":"PRIV_NET_PRIVILEGED_NECP_MATCH"}
Thread 0 (id: 5185):
0 libsystem_kernel.dylib 0x0000000195f13eac __sigsuspend_nocancel + 8
1 libdispatch.dylib 0x0000000195dab518 _dispatch_sigsuspend + 48
2 libdispatch.dylib 0x0000000195dab4e8 _dispatch_sigsuspend + 0
Thread 1 (id: 32979):
0 libsystem_kernel.dylib 0x0000000195f0ea8c __workq_kernreturn + 8
1 libsystem_pthread.dylib 0x0000000195f438e8 _pthread_wqthread + 352
2 libsystem_pthread.dylib 0x0000000195f425d4 start_wqthread + 8
Thread 2 (id: 33109):
0 libsystem_kernel.dylib 0x0000000195f1111c socket + 8
1 libnetwork.dylib 0x0000000199d74658 nw_interface_create_with_index_and_name + 220
2 libnetwork.dylib 0x0000000199d73c7c nw_interface_create_with_index + 180
3 NetworkExtension 0x00000001a310de10 -[NEAppProxyFlow initWithNEFlow:queue:] + 432
4 NetworkExtension 0x00000001a310fc70 -[NEAppProxyUDPFlow initWithNEFlow:queue:] + 48
5 NetworkExtension 0x00000001a31425b8 -[NEExtensionAppProxyProviderContext flowDivertNewFlow:completionHandler:] + 556
6 NetworkExtension 0x00000001a31419f8 __88-[NEExtensionAppProxyProviderContext setInitialFlowDivertControlSocket:extraValidation:]_block_invoke.106 + 72
7 NetworkExtension 0x00000001a3172404 __flow_startup_block_invoke.116 + 156
8 libdispatch.dylib 0x0000000195d96128 _dispatch_call_block_and_release + 32
9 libdispatch.dylib 0x0000000195d97ec0 _dispatch_client_callout + 20
10 libdispatch.dylib 0x0000000195d9f6a8 _dispatch_lane_serial_drain + 620
11 libdispatch.dylib 0x0000000195da02a4 _dispatch_lane_invoke + 404
12 libdispatch.dylib 0x0000000195daab74 _dispatch_workloop_worker_thread + 764
13 libsystem_pthread.dylib 0x0000000195f4389c _pthread_wqthread + 276
14 libsystem_pthread.dylib 0x0000000195f425d4 start_wqthread + 8
Thread 3 (id: 33293):
0 libsystem_kernel.dylib 0x0000000195f0ea8c __workq_kernreturn + 8
1 libsystem_pthread.dylib 0x0000000195f438e8 _pthread_wqthread + 352
2 libsystem_pthread.dylib 0x0000000195f425d4 start_wqthread + 8
Thread 4 (id: 33296):
0 0x0000000000000000
Binary Images:
0x195d94000 - 0x195dd8807 libdispatch.dylib (1271.120.2) <4edd5f72-2296-3891-b2a1-6741db6c05c9> /usr/lib/system/libdispatch.dylib
0x195f0c000 - 0x195f3ffff libsystem_kernel.dylib (7195.141.6) <fa7e835c-cb30-3d98-9331-30ce6584423d> /usr/lib/system/libsystem_kernel.dylib
0x195f40000 - 0x195f4cfff libsystem_pthread.dylib (454.120.2) <bdc1c5da-9499-3580-9588-2928de2440dd> /usr/lib/system/libsystem_pthread.dylib
0x199ba7000 - 0x19a2ef4ff libnetwork.dylib (2288.140.7) <992e11c6-a4c3-344f-80f9-d49fc41f9ebb> /usr/lib/libnetwork.dylib
0x1a3104000 - 0x1a335a1b3 com.apple.NetworkExtension (1.0 - 1) <66650680-34df-30c9-a215-46589cf2aa0e> /System/Library/Frameworks/NetworkExtension.framework/Versions/A/NetworkExtension
and related
error 2021-09-21 10:42:41.145014 -0400 kernel <Missing Description> System Policy: com.myCompany.mac(640) deny(1) system-privilege 10006
OS: macOS 11.6, sysext built with Xcode 12.5.1
The proxy works as expected.
I've found a very similar post: here but the System extension is a NETransparentProxyManager and the solution is related to something we don't have (includeAllNetworks)
Any clue?
Hi All,
We have an app installed in /Applications/MyApp.app that embeds a system extension.
Everything works as expected and the system extension (DNSProxy) is installed and runs perfectly.
We also have a .pkg "Uninstaller" that alongside other tasks runs a rm -rf /Applications/MyApp.app in the pkg preinstall script.
When we run the uninstaller all the files are deleted and all the processes are stopped excepted the System extension that is still alive and kicking:
systemextensionsctl list * xxxxxxxxxxxx com.xxxxxx.macos.netext.dnsproxy (2.0.0/22) MyAppNE [activated enabled]
The documentation states:
language
Uninstall a System Extension
The system automatically uninstalls any system extensions when the user deletes the corresponding app. You can also uninstall a system extension by creating a deactivation request. Call the deactivationRequest(forExtensionWithIdentifier:queue:) method of OSSystemExtensionRequest and submit the resulting object to the OSSystemExtensionManager.
But apparently, this isn't the case if the app is removed in this specific way.
How are we supposed to uninstall the System Extension? running deactivationRequest(forExtensionWithIdentifier:queue:) method from the uninstaller pkg would be VERY tricky.
Update:
This entire post could be summarised with:
Removing an app from Terminal doesn't remove the embedded system extension.
This seems a HUGE limitation... how are we supposed to remove system extension via MDM or SSH for instance?
Post not yet marked as solved
Hi All,
I'm studying the new AUTH event ES_EVENT_TYPE_AUTH_IOKIT_OPEN introduced in the EndpointSecurity framework on macOS 11.
The event is called correctly when someone tries to open a new IO device, for instance, any USB device.
If the endpoint answers ES_AUTH_RESULT_DENY then the device is correctly stopped.
In message->event I see an event of type es_event_iokit_open_t
/**@brief Open a connection to an I/O Kit IOService *@field user_client_type A constant specifying the type of connection to be * created, interpreted only by the IOService's family.This field corresponds to the type argument to IOServiceOpen(). * @field user_client_class Meta class name of the user client instance.* This event is fired when a process calls IOServiceOpen() in order to open * a communications channel with an I/O Kit driver. The event does notcorrespond to driver <-> device communication and is neither providing * visibility nor access control into devices being attached.
*/
typedef struct {
uint32_t user_client_type;
es_string_token_t user_client_class;
uint8_t reserved[64];
} es_event_iokit_open_t;
Unfortunately, the header says:
The event does notcorrespond to driver <-> device communication and is neither providing * visibility nor access control into devices being attached.
My question is: How can I get info about the device? for instance:
Name
Vendor
Type
etc...
Do I need to use IOKit? In this case, How can I connect the event to the device?
Thanks
Post not yet marked as solved
The DiskArbitration framework on macOS provides a simple way to intercept volumes mounts and authorise it or not using DARegisterDiskMountApprovalCallback.I'm looking for something similar for all the other USB devices like HID devices, network interfaces and in general every USB peripheral.I'm moving in the direction of IOKit: Introduction to USB Device Interface Guide and I can see how to communicate with a USB device but I can't find anything similar to an arbitration mechanism.Any idea? I would like to avoid Kernel extensions, especially with Catalina were installing them requires a reboot.Thanks
Post not yet marked as solved
The situation:10 days ago we submitted an app based on NEDNSProxyProvider for review and we hit a wall.We provided a full app description with features and requirements, detailed instructions about the configuration needed and the .mobileconfig file necessary for the proper app configuration on a supervised device.After 5 days of silence, we received a complete nonsense rejection:Upon further review, we found that your app does not comply with the following guidelines:
Guideline 2.1 - Information Needed
We have started your beta app's review, but we were unable to successfully access all or part of your app.
- Provide a Configuration/MDM profile
In order for us to continue the review, you will still need to provide a functional demo account that gives us access to all parts of your beta app so that we may fully review its content, features, and functionality. If your beta app is restricted to a specific location, you will still need to provide a whitelisted demo account that gives us access to your beta app. Note that providing a demo video showing your beta app in use is not enough for us to continue the review.after this, we resubmitted all the info and the files and we re-phrased the app description highlighting the necessity to have a supervised device and a .mobileconfig installed in the device using Apple Configurator 2 or an MDM.It's complete silence from 3 days.I'm suspecting that the guys supposed to review the apps are not very prepared for this kind of apps/environment.Anyone had a similar experience or submitted successfully a network extension? anyone with any insight or suggestion on how to proceed?
Post not yet marked as solved
I have a NEDNSProxyProvider implementation (iOS 12+ app) and the configuration is provided through MDM.I want to intercept any change in the proxy configuration and following the documentation I've used the NEDNSProxyConfigurationDidChange notification://Proxy configuration changed, probably after an update from the MDM
NotificationCenter.default.addObserver(self,
selector: #selector(handleDNSProxyConfigurationChanges(_:)),
name: NSNotification.Name.NEDNSProxyConfigurationDidChange,
object: nil)But apparently the notification isn't fired, instead, the proxy is restarted by the system calling the usualoverride public func stopProxy(with reason: NEProviderStopReason, completionHandler: @escaping () -> Void)andoverridepublicfunc startProxy(options: [String: Any]? = nil, completionHandler: @escaping (Error?) -> Void)Is this the intended behaviour and the documentation is out of date or is this a bug?Thanks~Federico
kappe_m.