Unable to create a socket using POSIX in C?

Every time I try to use the C built in socket commands to create a socket, i see this line spit out in console. I'm not sure what's causing it to happen but has anyone ever seen this before and would anyone know how to resolve it? I'm trying to create the socket inside a PacketTunnelProvider implementation.


kernel(Sandbox)[0] <Notice>: Sandbox: MyVPNProvider(397) deny(1) system-socket


This is being run on a normal iPhone 6s that I have plugged in. I've tested it on both an iPad running iOS 10.3 and an iPhone running iOS 11 Beta 6, I get the same results on both.

Up vote post of fisc510 Down vote post of fisc510
1k views
Posted by
fisc510
Reply
Add a Comment

Replies

What sort of socket are you trying to created? The presence of 

system-socket
in the sandbox log implies that you’re trying to create something unusually, like a raw IP socket, and that’s not going to work.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

The code I'm using to create the socket is as follows:


ctx->sock = socket(ctx->cfg.server.ss.ss_family, ctx->cfg.tcp ? SOCK_STREAM : SOCK_DGRAM, 0);


This exact code (it's internal in a library) has worked in another project on the same device, however when trying to move it to this device it's not working. I feel it might have something to do with either the thread it's being done on, or some sort of a configuration issue somewhere.


To the best of my knowledge it is not being run on the main thread.

Posted by
fisc510
Up vote reply of fisc510 Down vote reply of fisc510
Add a Comment

I'm also seeing this output when enabling network diagnostics right around the area i try to create the socket:

Aug 21 10:10:21 Nathans-iPhone kernel(IONVMeFamily)[0] <Notice>: AppleNVMe Assert failed: IsTunnelPermitted ( me, opcode )
Aug 21 10:10:21 Nathans-iPhone kernel(IONVMeFamily)[0] <Notice>: Exit
Aug 21 10:10:21 Nathans-iPhone kernel(IONVMeFamily)[0] <Notice>: file: /BuildRoot/Library/Caches/com.apple.xbs/Sources/IONVMeFamily/IONVMeFamily-356.1.4/AppleNVMeUpdateUC.cpp
Aug 21 10:10:21 Nathans-iPhone kernel(IONVMeFamily)[0] <Notice>: line: 1287
Aug 21 10:10:21 Nathans-iPhone kernel(IONVMeFamily)[0] <Notice>:
Posted by
fisc510
Up vote reply of fisc510 Down vote reply of fisc510
Add a Comment

I'd like to point out that I'm not getting an error when creating the socket. I'm simply unable to communicate through it, and TCP Dumping on the server is showing 0 traffic. Again, same server, same back end library work perfectly in another application. That's why I believe this may be a configuration or threading issue.

Posted by
fisc510
Up vote reply of fisc510 Down vote reply of fisc510
Add a Comment

I'd like to point out that I'm not getting an error when creating the socket.

OK, thanks for clarifying that.

I'm simply unable to communicate through it, and TCP Dumping on the server is showing 0 traffic.

You could be having a routing problem. Pasted in below is the standard explanation I send to folks about this.

Note When dealing with packet tunnel providers it’s generally best to take packet traces on the iOS device using RVI. QA1176 Getting a Packet Trace explains how to do this. Make sure to pay attention to the packet metadata, as discussed in the Q&A.

When you bring up a VPN interface the system must configure the routing tables such that traffic destined for the VPN server does not go via the VPN. If it did it would get stuck in a routing loop: a packet would go to the packet tunnel provider, which would wrap it and send it on to the VPN server, and the kernel would route that back to the packet tunnel provider, which would wrap it, and so on. This is especially important when the VPN claims the default route.

Your packet tunnel provider is responsible for telling the system about the routing table changes it requires. Specifically:

  • You pass the address of your VPN server to 

    -[NEPacketTunnelNetworkSettings initWithTunnelRemoteAddress:]

  • You can also pass specific included (

    includedRoutes
    ) and excluded (
    excludedRoutes
    ) routes via the 
    NEIPv6Settings
    and 
    NEIPv4Settings
    objects referenced by the NEPacketTunnelNetworkSettings object

The routing information derived from the above is added to the routing table when the VPN comes up (and removed when it goes down).

You typically use this in one of two ways:

  • In a split tunnel setup, where you only claim specific routes, you can use 

    includedRoutes
    to extend the range of networks that go via the VPN (otherwise it would just be the network defined by the VPN interface itself). For example, most enterprises have a bunch of internal networks, and if they don’t list those networks here then only servers on the same network as the VPN server would be accessible!

  • In a full tunnel setup, where you claim the default route, you can use 

    excludedRoutes
    to prevent traffic going via the VPN. For example, if your enterprise has an Internet-facing secure mail server, you might want to exclude that traffic from the VPN because:

    • It’s not necessary, because traffic to the mail server is secure anyway

    • It reduces load on the VPN servers

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment