Running and debugging a Content Filtering network extension

I grabbed Apple's sample project, SimpleFirewall, here https://developer.apple.com/documentation/networkextension/filtering_network_traffic. The app builds and runs, but when I press the start button it tells me this in the console:

2019-06-05 15:00:38.032893-0500 SimpleFirewall[32086:151724] System extension request failed: App containing System Extension to be activated must be in /Applications folder


Ok, fair enough. Weirdly, the INSTALL_PATH in build settings is pointed to /Applications, but okay, I'll grab the product and the extension and shove it in /Applications myself and worry about how to debug this later. When I try that, it has me open System Preferences to enable the system extension--progress! However, even after that, the Start button on the application, which is intended to start filtering incoming connections, briefly spins and goes back to the red/disabled state.


Any tips on how to run this within Xcode and debug it are appreciated. I know it's early and the session doesn't even air until Friday, but there's only so many days left in the summer 🙂.


Best,

Mark

Up vote post of marksands Down vote post of marksands
5.3k views
Posted by
marksands
Reply
Add a Comment

Replies

First, make sure that you have SIP disabled. Also, If possible I would recommend updating to the second beta of Catalina and Xcode (there were some System Extension updates) and then re-download the SimpleFirewall project (I believe it had minor updates as well).


On beta 2 of Catalina from the command line you can issue the following commands to make testing easier


# This will reset all previous System Extensions

systemextensionsctl reset


# Turns on developer mode and disables some of the restrictions like having to run from /Applications

systemextensionsctl developer on


With these steps I've been able to run and test the SimpleFirewall project.

Posted by
scknight
Up vote reply of scknight Down vote reply of scknight
Add a Comment

I just want to build and run the sample “SimpleFirewall” project.


I am enrolled to Apple developer enterprise program. when i used Apple/macOS Development certificate i am getting the following error.


Your development team, “XXXXXXXXXXX”, does not support the Network Extensions capability.


Then i skipped the signing part for both App and extension then build succeed. But while running the same i don’t get any prompt to authorize. Meanwhile in system.log i can see the following lines repeatedly.



com.apple.xpc.launchd[1] (com.apple.sysextd[1289]): Service exited due to SIGILL | sent by exc handler[1289]

com.apple.xpc.launchd[1] (com.apple.sysextd): Service only ran for 0 seconds. Pushing respawn out by 10 seconds.


Is code sign is mandatory? If not please throw some light how to run and test this locally.

Since you are able to run the sample i believe you could help me to resolve this.


PS:

Xcode 11 beta 2

System Integrity Protection status: disabled.

Running the application as root.


Thanks,

Rishr

Posted by
rishr
Up vote reply of rishr Down vote reply of rishr
Add a Comment
I had to first disable SIP by booting into recovery mode, opening terminal, csrutil disable, restart (risks seemed acceptable to me). Then systemextensionsctl developer on -- then i was able to get the sample app working.
Posted by
jaredh159
Up vote reply of jaredh159 Down vote reply of jaredh159
Add a Comment
Another alternative that I use is to log everything to an extension subsystem and then stream those logs to the console instead of disabling SIP and turning developer mode on.

For example:

Code Block swift
import os.log
class FilterDataProvider: NEFilterDataProvider {
    
    static let log = OSLog(subsystem: "com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension", category: "provider")
    private let log: OSLog
    override init() {
        self.log = Self.log
        os_log(.debug, log: self.log, "init")
        super.init()
    }
    override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
        
        os_log(.debug, log: self.log, "Received a new flow: %{public}@", flow.description)
    }
}


Code Block text
% log stream --level debug --predicate 'subsystem == "com.example.apple-samplecode.SimpleFirewallTestBed.SimpleFirewallExtension"'




Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton

  • Would it be possible for you to describe your implementation details more thoroughly? I am running into the same issues as above but would like to solve without disabling SIP.

    Where should I implement the above code?

    Thank you!

    Maxithine
Add a Comment

I was able to solve issue App containing System Extension to be activated must be in /Applications folder with build settings shown below:

DEPLOYMENT_LOCATION = YES
DSTROOT = /
INSTALL_PATH = $(LOCAL_APPS_DIR)/MyDevelopmentApps
SKIP_INSTALL = NO

Idea behind, that the build product placed into a /Applications/MyDevelopmentApps directory instead into /.../DerivedData/.../Build/Products directory.

Posted by
v_gorlov
Up vote reply of v_gorlov Down vote reply of v_gorlov
Add a Comment

I was able to solve issue App containing System Extension to be activated must be in /Applications folde

Yes, when building, testing, and running locally I would always recommend that you keep SIP enabled and test with a built product executed from the /Applications folder.

Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
Posted by
meaton
Up vote reply of meaton Down vote reply of meaton
Add a Comment