We added a packet filter to our app, then found a way to not need it, so we want to be able to remove it on upgrades. But we don't want to install it if it's not already installed. Simple, right? The basic flow of the code is, on start-up, it does a propertiesRequestForExtensiion request. The method for the delegate goes through the various versions, ignoring any that are property.isEnabled == NO. When it comes to one that is enabled, it checks the version -- if it's the same version as the running app, it goes to deactivate it. If it's a different version, it goes to enable the current version (creating a activationRequestForExtensiion request). This should all be very simple. Except. At some point during this, the properties request gets a failure -- Domain=OSSystemExtensionErrorDomain Code=1. Ok, it seems there are lots of them laying around (I haven't rebooted in a while), and that method doesn't return once it finds one that is enabled. So maybe it doesn't like that. And then the activation request that was submitted also fails, also with the same error that doesn't explain anything. I thought, ok, maybe they don't like to stop on each other's toes, so let's create a serial dispatch queue, and have all of the system extension requests use that queue. That way, the activation request won't begin until the properties request has finished! Only I did that. And it did get a bit further -- the request method was invoked! Only then I still got messages about the properties and activation requests failing with the same unknown error. So then I looked at console. And sysextd is crashing, every time this happens. And then I dump all of the logs around that time, and look through them, and see... nothing. I had hoped to end this with a description of how I achieved victory, but instead... I'm going to have to reboot and see if that solves the mysterious crashing of sysextd.

This one is sorta behaving similar to the FaceTime / AirDrop issue, but it does depend on order, which makes me wonder if it's a programming choice. Specifically, using FortiNet's VPN client, using IPSec, if I have a TPP installed and then try to connect it, it fails. If, however, I connect and then start the TPP, it succeeds, which at least makes it better than FaceTime and AirDrop. So my question here is... hm, not as well-articulated as I would like. I'm curious if a VPN can check to see if other VPNs are installed and configured, and if so say "nope." Hm, saying that more clearly: I think it's possible for a network extension to check the interface that a packet/flow is going to, and cause a failure of some sort if it's a VPN, correct? Does anyone do that? Or am I seeing lions in the waterhole weeds? I'm also curious if Apple's networking code has issues with multiple VPNs. (Although, I will note, our TPP works just fine with Tailscale, so it's not an inherent conflict. Also Cisco AnyConnect. So maybe it's just IPSec?) ETA: to make it clear, my test case involves using a ****** TPP, where handleNewUDPFlow and handleNewFlow both immediately return false, meaning that the system should behave as if it's not there, and yet... doesn't. I appreciate any comments/assistance/guffaws.

We have found a VPN that does not work while our TPP is running, and I have a hypothesis why, and it does not make any sense. It only fails when our TPP asks for UDP flows. Their VPN claims to fail at a DNS query, but it's getting EPIPE (this is Twingate for the curious). Looking at all the logs I can on the system, including dtruss and dtrace, I see that it does a sendto, and gets that errno. I can't, of course, determine more. By adding more logging, I can see that their VPN tunnel provider tries to open up a UDP flow to 8.8.8.8 port 53. First red flag: I did not think we were supposed to get DNS queries -- my guess is that only means for apps that use the system DNS libraries, implying (to me) that this VPN has their own DNS code. We look at the app name, and decide we don't care for it -- handleNewUDPFlow(_:initialEndpoint:) returns false/NO. I see this in the system logs: 2024-06-26 11:06:56.342680+0100 0x300c839 Default 0x0 40823 0 ${us}.Redirector: (NetworkExtension) [com.apple.networkextension:] [Extension ${us}]: provider rejected new flow UDP ${them}.macos.tunnelprovider[{length = 20, bytes = 0xca1b405e014154c2e38e20159d033f9b2d3eea18}] local port 0 interface en0(bound) which is all correct. But then the very next log entry is 2024-06-26 11:06:56.342717+0100 0x300cc14 Info 0x0 0 0 kernel: (399482302): received connect result 61 which, there you go, ECONNREFUSED which will be turned into EPIPE by sendto. (ETA: No, that's not what happens at all. I see other port 53 queries in my logs, and they follow the same, er, flow -- TPP refuses them, next log entry for the flow by the system is result 61.) There is no traffic to 8.8.8.8 over any of the interfaces. I have tried using a NENetworkRule that _excludes` port 53, but it does not allow that at all. I am very deeply confused by all of this, to the point I'm not quite sure how to begin to articulate a request for help. If anyone has any thoughts, comments, questions, commiserative howls of agony, I'd appreciate it.

This is definitely a weird one -- the laptop is running macOS 12, but it's trying to build using macOS 13 SDK? (The machine cannot run anything later than macOS 12, btw.) In file included from /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.1.sdk/System/Library/Frameworks/CoreFoundation.framework/Headers/CFStream.h:20: /Applications/Xcode.app/Contents/Developer/Platforms/MacOSX.platform/Developer/SDKs/MacOSX13.1.sdk/usr/include/dispatch/dispatch.h:69:10: fatal error: 'dispatch/block.h' file not found #include <dispatch/block.h> ^~~~~~~~~~~~~~~~~~ 1 error generated. I'm trying xcode-select --install but has anyone run into this before?

* [Error] Failed to stop recording session: Failed stoping ktrace session. (xcode-select version 2409) So why can't it stop the ktrace session? And how long has that typo been around? 😄 (Look, I've kept typos in log messages for years because it differentiated that message from other messages.)

There's a notification for a write, but no authorization message for a write. Why is this? It's a pretty significant departure from kauth.

This may be a rather dumb question, but: if I want to use xpc (specifically mach messaging) to exchange data between a system extension (any sort) and my application, how do I do this? I think I keep getting confused at the launchd plist entries, but also trying to do both an extension and using Xcode's templating for XPC kept not working for me.

I know you can go the other way, but I'm curious if there is a way to start with Xcode and end up with CMakeLists.txt?

On three different machines (all running Xcode 13 and Big Sur), it always tells me that the command-line developer tools need to be installed. I've "installed" them four times so far on one machine, and at least twice on the other two.

A successful installation/activation can either be "yay it's done now!" or "wellllllll you need to reboot first but otherwise it's done yay!" So what determines which of those two happens?

This may be dumb: on an Apple Silicon system, with a system extension that is examining / interfering with some process, one or both of them may be run under Rosetta. So if a helper tool (app, daemon, whatever) tries to get the kSecCodeInfoUnique for an application of a given name... will that be the same one seen by the extension? Or will it depend on whether any part of the triad is running under Rosetta?

I've got a preference that requires the app to restart to take effect, so I would like to quit it. Using NSApp.terminate(nil) doesn't do it. Everything I can search for seems to be talking about iOS (and being able to relaunch the app would be good for iOS, if that's a doable thing?).

Despite updating to the most recent Xcode repeatedly, I was never able to add a swift package using Xcode -- it would get stuck at validation and never get past that. I filed a feedback (and may have asked here? can't find it) and never heard back. Today, I managed to figure it out, by creating a project on one machine (where it worked), and checking it out on one that didn't work. And when I tried to launch Xcode on the second machine... it told me that it couldn't use swift packages with a legacy build setting. I changed that (long, long, long set) preference, and... suddenly it worked. In case anyone else is as stubborn and ludditious as I am, and find this useful.

For a variety of reasons, some of which are no doubt due to poor life decisions, I don't want my application to start automatically on restart. Is there a way to exempt myself from that?

On Apple Silicon only. It's a bad dereference, address 0xbeadddaf65d0 which looks fake. What does hardening do differently that might cause that, any ideas?