The proxy doesn't seem to have a way to tell if the application is trying to make an IPv4 or an IPv6 connection (unless the remote endpoint is an explicit IPv4 or IPv6 address). Am I missing something there, or is that in fact how it's intended to be?

Our TPP excludes our own processes from oversight, which makes some things very easy. Only I just found out that when our app uses a WKWebView... it's very securely shuffled off into its own process. With its own signing identifier. And a ppid of launchd. How could I tell that a com.apple.WebKit.Networking process is related to our process? (I note that the Endpoint Security Framework has added a "responsible" audit token, presumably for this sort of situation.)

That's pretty much the question: we've got a tunnel provider, and I think the OS' ability to handle a captive portal situation is better than I could do, so is there a way to find out if we are in one, and if so wait for it to be handled by the user before we start doing things?

Our transparent proxy provider sends flows to a daemon which analyzes and then does proxying. Works fine. Except that sometimes it stops working. As far as I can tell, it's due to DNS not working. Queries hang -- we've got some internal ones we log, that have timed out after 20 or 30 seconds. Now, clearly, we're doing something bad (because if we kill the daemon and it restarts, everything goes back to working). Unfortunately, I have forgotten so much I can't figure out how to see where it's broken! Things like dig @8.8.8.8 com. any fail -- I am presuming because it's trying to do a lookup of "8.8.8.8" and that fails, but I could be wrong. Admittedly, that one doesn't time out, it simply says no servers could be reached. Meanwhile, pinging that address works. (And, also, the local DNS host -- the one provided via DHCP and listed in /etc/resolv.conf and ipconfig getstatus -- behaves the same way.) I haven't been able to reproduce this myself, unfortunately. Although I have, somewhat interestingly, had a similar issue, which was clearly due to a Google Home WiFi access point (as resetting it fixed the problem, as does moving to another area of the house such that a different AP in the mesh takes over). On my FreeBSD systems, I'd run tcpdump and truss/ktrace on named, but as I said, I've forgotten so much about how macOS does DNS I'm flailing. Help?

consoleUser = SCDynamicstoreCopyConsoleUser(NULL, &uid, &gid); the string is empty, but not NULL. uid and gid are set properly. Any idea why this would happen? NB: it only happens from a LaunchAgent, for some reason; if I isolate the code in question, and run it via CLI, it works exactly as expected. And it only seems to happen for one person -- but for him, it happens on both Intel and Apple Silicon.

Coworkers are trying it and it's not working -- the google response says there was a problem with it, and not much else. I do not have a yubikey (at least not yet 😄), and I'm really not good at the GUI stuff so I don't know as much about it as I probably should. Searching the fora here found a question and comment that didn't make a lot of sense to me, but again I admit to a lot of ignorance here. So any pointers to where I should be look would be appreciated.

2024-06-04 15:17:59.618853+0100 ProxyAgent[20233:29237510] [xpc.exceptions] <NSXPCConnection: 0x60000331cb40> connection from pid 20227 on anonymousListener or serviceListener: Exception caught during decoding of received selector newFlowWithIdentifier:to:type:metadata:socket:, dropping incoming message. Exception: Exception while decoding argument 4 (#6 of invocation): <NSInvocation: 0x600001778780> return value: {v} void target: {@} 0x0 selector: {:} null argument 2: {@} 0x6000017787c0 argument 3: {@} 0x60000002d170 argument 4: {q} 1 argument 5: {@} 0x600001746600 argument 6: {@} 0x0 Exception: decodeObjectForKey: Object of class "NSFileHandle" returned nil from -initWithCoder: while being decoded for key <no key> The extension is in Swift; the recipient is in ObjC (wheeeeee). Based on the extension's logging, the FileHandle is not nil. I am trying to pass a FileHandle based on a socketpair up to the user-land code. The sockets are created happily. Any ideas what's going wrong here?

I have this in my start code: for p in [4500] + Array(3478...3497) + Array(16384...16387) + Array(16393...16402) { // According to the documentation, I *should* be able to // use "" for the hostname, and prefix:0, but it complained // about the prefix length, so we use the top bit for ipv4 // and ipv6. let port = "\(p)" os_log(.debug, log: Self.log, "Setting up to exclude port %{public}s", port) let host_1 = NWHostEndpoint(hostname:"0.0.0.0", port: port) let host_2 = NWHostEndpoint(hostname:"255.0.0.0", port: port) let host_3 = NWHostEndpoint(hostname:"0::0", port: port) let host_4 = NWHostEndpoint(hostname:"ffff::0", port: port) for host in [host_1, host_3] { let udpPortRule = NENetworkRule(destinationNetwork: host, prefix:1, protocol: .UDP) excludeRules.append(udpPortRule) } } settings.excludedNetworkRules = excludeRules This produces the log message 2024-07-23 11:16:38.335649+0100 0x901984 Debug 0x0 20686 0 com.kithrup.SimpleTPP.Provider: [com.kithrup:Provider] Setting up to exclude port 3483 Later on, when running, I log the new flows in handleNewUDPFlow(:,initialRemoteEndpoint:), and it produces 2024-07-23 11:17:05.712055+0100 0x901984 Debug 0x0 20686 0 com.kithrup.SimpleTPP.Provider: [com.kithrup:Provider] handleNewUDPFlow(_:initialRemoteEndpoint:): new UDP flow for host 17.252.13.7:3483 app com.apple.identityservicesd So port 3483 is definitely in the excludedRules array, but it's not being excluded. (All of this is because I still can't figure out why FaceTime isn't working with us.)

I'd like to be able to do the equivalent of getrusage(3) for some of our other processes. These are daemons, so they're not connected in any way. Obviously, Activity Monitor and top can do the things I want, but I'm not Apple. 😄 I went down a maze of twisty APIs, all a-Mach, and have decided to ask. (We're trying to keep track of the processes in the field. We also want to know what's going on if a process has stopped responding but hasn't died. I suppose I could, absolute worst case, periodically send getrusage(3) info to the monitoring process.)

The documentation for, eg NEAppProxyProvider, has a lot of redirections and implicit configurations that I simply don't know and sometimes can't follow. I wanted to try making a VPN network extension that (for the moment) just got loaded and did nothing. I can't even get that far, it seems. I'm clearly missing the setup I need to do. Unfortunately, the old SimpleTunnelCustomizedNetworkingUsingtheNetworkExtensionFramework sample doesn't build anymore, what with it being Swift 3 based. Is there a newer, made-for-idiots sample program somewhere?

Under macOS (and especially when using MDM), is it the case that a system extension (in particular, a Transparent Proxy Provider or Endpoint Security extension) must be embedded in an application bundle in /Applications? Or can they be located in some other location, or even directly installed into /Library/SystemExtensions and then activated via a LaunchDaemon? Does it matter whether it's distributed via the App Store or part of enterprise distribution? (Yes, my next step is to look into MDM, about which I know very little. 😄) This is a case of me being confused by the documentation, and looking at some existing products.

On three different machines (all running Xcode 13 and Big Sur), it always tells me that the command-line developer tools need to be installed. I've "installed" them four times so far on one machine, and at least twice on the other two.

I'm beating my head against Apple here and it hurts. We made the request for Endpoint Security, and got it granted. However, it was only for development (and as we're looking to do non-app store distribution, I explicitly asked for one to go with our Developer ID Application certificate). At this point, I have used a TSI (thanks Quinn!) and possibly upset an internal contact by asking what I'm supposed to do, and gotten nowhere. At this point, I am sending an email message to the endpoint-review address every week, and I have gotten no responses at all. Has anyone successfully gotten this? If so... how? (No, let me amend that: I know some have, since I've seen it in the wild. I just have no idea what I'm supposed to do!)

Unless I'm missing something (always possible)... there is no way to tell if you get a valid proxy back -- the error handler is asynchronous, and I don't see a way to say "this proxy is valid." Am I missing something?

I've got a system extension. There's a daemon that talks to it. Because I want the sysex to be able to reach out on its own, the daemon talks to the sysex over XPC, and passes over an anonymous endpoint, so that either side can initiate a message. This all works pretty well, and I'm happy with it. But the design, as is, means that if the sysex goes away for some reason, the daemon can't ever talk to it again. This shouldn't be too difficult a problem to fix -- I can tell when the XPC connections are invalidated, I just have to wait for the sysex to come back up. I am using notify(3) for this, and this does work. And this is the part that is frustrating, and I obviously think should even be impossible: after starting back up, sending a notification, and getting the anonymous endpoint from the daemon, and setting the connection to an NSXPCConnection, the connection ... gets set to nil. The problem is that since I've written this in Swift, I put an observer on the endpoint and log whenever it changes. And in the log, I see "changing it from nil to ", and then a log message saying "connection is non-nil, as it should be" and then... later it says the connection is nil. Without a "changing it from to nil". I am very, very frustrated.