Do we need to have a privileged helper for System extension

Question

macnd OP

Created Jan ’24

Replies 1

Boosts 0

Participants 2

Platform: MacOS 12.0

I have an app bundle which contains an packet tunnel extension. I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store. I have an requirement to run privilege operations which I have run any place from the app. As we know the user app cannot run these privilege operations we can use the 'Service Management' api: SMJobBless to start a helper tool which can run these privileged tasks. But as I stated earlier I can run these privileged tasks from any place in the bundle, we have packettunnel extension which is running with root privileges.

So looking at my above environment what would be recommended? do I really need to start a privileged helper tool or I can directly run these privileged operations from packettunnel extension?

One advantage of running these privilege tasks in packettunnel extension I see is that it will not require additional an user authentication which is needed in case of using SMJobBless(), this will also avoid upgrade management of the helper tool.

Boost

Answer 1

DTS Engineer OP

Apple

Jan ’24

I am not running my packettunnel extension in a Sandbox as I dont plan to post my app in Apple's App Store.

The sysex that hosts your NE provider must be sandboxed [1], regardless of your distribution plan. Outside of the Mac App Store you can choose not to sandbox your container app, but you still need to sandbox the sysex.

I’m not sure how that affects your calculus, so I’ll let you write back if you have follow-up questions.

Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Unless that sysex is shared with a technology that can’t be sandboxed, most notably, an ES client.

0