NEURLFilter / SimpleURLFilter: neagent fails to open URL prefilter mmap file with errno 13 Permission denied

I know this sounds weird, but have you tried restarting?

There are two processes involved here — the system process hosting your filter provider and the NE agent process doing the actual work — which means that the system has to transfer access to the file between them. There are ways this can break down, especially on a development machine, that might cause an issue like this.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

It’s better to reply as a reply, rather than in the comments; see Quinn’s Top Ten DevForums Tips for this and other titbits.

Yes, I did. I restarted the machine, but the issue is still reproducible.

Oh well, it was a long shot (-:

Notably, someone else is reporting this problem. Are you working with ar_ivanov on this? If not, the fact that you’re both seeing it is clearly relevant.

In their post they mentioned that this is a regression, with things working correctly on macOS 26.3. Is that the case for you as well? Or have you not tried it on earlier systems?

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

ar_ivanov and I discovered this issue independently.

I reproduced the issue on macOS 26.4.1 and continued to observe the same behavior after upgrading that machine to 26.5.1. The issue is also reproducible on a second machine running 26.5.1 and on another machine running 26.3.

All tested systems had SIP disabled and systemextensionsctl developer mode enabled. I also re-enabled SIP and checked the issue again after several subsequent reboots. The issue persisted.

I repeated the permissions change for /private/var/db/urlPrefilter/ described by ar_ivanov and observed the same behavior. The issue remained reproducible.

Hi!

If I guessed right the issue is: URL Filters break like that on macOS if the user ID is not 501. Reported this back in March in FB22281393.

My app detects this scenario and warns the user! But it’s a nightmare for them to actually change their user ID, so I’d love for this to get fixed eventually.

The issue is ridiculous.

We also reported it in FB23265799, hopefully it will help prioritize it.

I actually think this is a critical bug. The assumption that "the current user is UID 501" only holds true for a single-user Mac that has never had its primary account deleted or recreated so URL filtering API is broken for all shared / family /corporate Macs, also probably reinstalled or migrated macOS might not work as well.

I checked KayleeSC's suggestion and found that all affected systems I tested are using a non-501 user ID. On the machine where I originally reproduced the issue, URL filtering works correctly for a UID 501 user.

Thanks for those bug reports (FB22281393, FB23265799).

On the machine where I originally reproduced the issue, URL filtering works correctly for a UID 501 user.

And thanks for that confirmation.

This is obviously problematic and I’ll make sure the NE team is aware of your bugs.

Curiously, if I’d tried this I would’ve noticed the problem immediately, because I always set up my Macs with an initial ‘root’ account and then create my quinn account on top of that. So quinn is always 502:

% id quinn
uid=502(quinn) …

However, I tend to run NE tests on iOS, so I never noticed this issue.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"