Help with debugging taskgated error and tunnel_server failure

Hi,
I'm developing a transparent proxy based on the SimpleTunnel example for MacOS Catalina and using XCode 11.4.1.

I have the extension loading and starting to establish a connection to tunnel_server.
The connection succeeds, but the configuration is not exchanged.
Console output from the app extension is:

default 15:40:20.838978+1000 taskgated-helper Checking profile: Mac Team Provisioning Profile: com.bjerzyna.AppProxy.AppProxyExtension
default 15:40:20.839020+1000 taskgated-helper allowing entitlement(s) for com.bjerzyna.AppProxy.AppProxyExtension due to provisioning profile (isUPP: 0)
default 15:40:20.849729+1000 taskgated-helper Checking profile: Mac Team Provisioning Profile: com.bjerzyna.AppProxy.AppProxyExtension
error 15:40:20.849843+1000 taskgated-helper com.bjerzyna.AppProxy.AppProxyExtension: Unsatisfied entitlements: com.apple.security.application-groups
error 15:40:20.849942+1000 taskgated-helper Disallowing: com.bjerzyna.AppProxy.AppProxyExtension
default 15:40:20.905827+1000 com.bjerzyna.AppProxy.AppProxyExtension nw_path_evaluator_start [92300C67-30CA-4871-86BA-6671F1A03D08  generic, indefinite]
path: satisfied (Path is satisfied), interface: en0, ipv4, dns
default 15:40:20.906308+1000 nesessionmanager NESMTransparentProxySession[Primary Tunnel:PassThroughProxy:88063CEA-F50E-4B71-8F10-D2586AAE7D91:(null)]: Plugin NEFlowDivertPlugin(com.bjerzyna.AppProxy[9187]) initialized with Mach-O UUIDs (
    "32011B97-B62E-356F-B27B-F4E0A7660DCE"
)
default 15:40:20.906464+1000 nesessionmanager NESMTransparentProxySession[Primary Tunnel:PassThroughProxy:88063CEA-F50E-4B71-8F10-D2586AAE7D91:(null)] in state NESMVPNSessionStateStarting: plugin NEFlowDivertPlugin(com.bjerzyna.AppProxy[9187]) started with PID 9187 error (null)
default 15:40:20.907546+1000 com.bjerzyna.AppProxy.AppProxyExtension (0): Creating a new flow director
default 15:40:20.908004+1000 com.bjerzyna.AppProxy.AppProxyExtension [Extension com.bjerzyna.AppProxy]: Calling startProxyWithOptions with options 0x0
default 15:40:20.909569+1000 com.bjerzyna.AppProxy.AppProxyExtension [C1 9F487A3B-D00E-496E-B8F7-BF3BFACD249C Hostname#b8933958:12345 tcp, indefinite] start
default 15:40:20.909889+1000 com.bjerzyna.AppProxy.AppProxyExtension Tunnel connection state changed to Connecting
default 15:40:20.910705+1000 com.bjerzyna.AppProxy.AppProxyExtension nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state preparing
default 15:40:20.916903+1000 com.bjerzyna.AppProxy.AppProxyExtension nw_socket_handle_socket_event [C1.1:1] Socket received CONNECTED event
default 15:40:20.917049+1000 com.bjerzyna.AppProxy.AppProxyExtension nw_flow_connected [C1.1 ::1.12345 in_progress socket-flow (satisfied (Path is satisfied), interface: lo0)] Output protocol connected
default 15:40:20.918560+1000 com.bjerzyna.AppProxy.AppProxyExtension nw_connection_report_state_with_handler_on_nw_queue [C1] reporting state ready
default 15:40:20.918889+1000 com.bjerzyna.AppProxy.AppProxyExtension Tunnel connection state changed to Connected
default 15:40:20.919274+1000 com.bjerzyna.AppProxy.AppProxyExtension Tunnel opened, fetching configuration

I'm concerned about lines 4 and 5.
I've tried to set the AppGroups as suggested in various threads, but no luck.
I'm puzzled, also, that the extension seems to carry on after those errors.
I have the debugger attached to the tunnel_server as well and don't see anything triggering there apart from the initial socket connection.
Edit:
If I have the AppProxyExtension connect to a local netcat session, I see the setconfig command being sent from the extension.

"$OSXLT150:~ bernd.jerzyna$ nc -l localhost 7777
"$list00�ZidentifierWcommand


Update2:

Wireshark shows that the tunnel_server ACKs the packet from the client, but takes no further action:

No. Time Source Destination Protocol Length Info
1 0.000000 127.0.0.1 127.0.0.1 TCP 56 63593 → 5555 [FIN, ACK] Seq=1 Ack=1 Win=6379 Len=0 TSval=713892242 TSecr=713731171
2 0.000030 127.0.0.1 127.0.0.1 TCP 56 5555 → 63593 [ACK] Seq=1 Ack=2 Win=6378 Len=0 TSval=713892242 TSecr=713892242
3 3.229257 127.0.0.1 127.0.0.1 TCP 68 63669 → 5555 [SYN] Seq=0 Win=65535 Len=0 MSS=16344 WS=64 TSval=713895454 TSecr=0 SACK_PERM=1
4 3.229362 127.0.0.1 127.0.0.1 TCP 68 5555 → 63669 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=16344 WS=64 TSval=713895455 TSecr=713895454 SACK_PERM=1
5 3.229374 127.0.0.1 127.0.0.1 TCP 56 63669 → 5555 [ACK] Seq=1 Ack=1 Win=408256 Len=0 TSval=713895455 TSecr=713895455
6 3.229385 127.0.0.1 127.0.0.1 TCP 56 [TCP Window Update] 5555 → 63669 [ACK] Seq=1 Ack=1 Win=408256 Len=0 TSval=713895455 TSecr=713895455
7 3.234991 127.0.0.1 127.0.0.1 TCP 133 63669 → 5555 [PSH, ACK] Seq=1 Ack=1 Win=408256 Len=77 TSval=713895459 TSecr=713895455
8 3.235014 127.0.0.1 127.0.0.1 TCP 56 5555 → 63669 [ACK] Seq=1 Ack=78 Win=408192 Len=0 TSval=713895459 TSecr=713895459
9 34.380607 192.168.1.7 230.230.230.230 UDP 140 55174 → 8976 Len=108

Many thanks
Bernd

Up vote post of bjerzyna Down vote post of bjerzyna
545 views
Posted by
bjerzyna
Reply
Add a Comment