You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The Network Extension requires a session token for a Coder deployment in order to function. This is (and should be) stored in the macOS Keychain.
When registering the network extension as a system VPN, a NETunnelProviderProtocol can be configured and passed to the network extension when it's started (via NEPacketTunnelProvider.startTunnel). NETunnelProviderProtocol.serverAddress allows us to pass the access URL of the deployment.
NETunnelProviderProtocol.passwordReference is described as:
a persistent reference to a keychain item with the kSecClassGenericPassword class.
This field doesn't take into account the fact that the Network Extension might be a System Extension (as opposed to an app extension, used when submitting the application to the macOS/iOS App Store).
For reference, the WireGuard macOS app uses an app extension, running as the user, not root. It's able to pass a keychain reference to that app extension after modifying the item's keychain ACL.
In our case, there's a few problems:
Whilst, Keychain Access Groups exist to share keychain items between multiple sandboxed applications, they require all apps use the data protection keychain (as opposed to the file-based keychain).
Programs that run outside of the user context (such as our NE, running as root), cannot use the data protection keychain. [1][2]
File-based keychains are accessible from both users and the network-extensions. However, the sandboxed application is only capable of writing to the user keychain, and the network extension is only capable of reading from the system keychain. The application would need elevated permissions to write to the system keychain, and use passwordReference to pass a keychain persistentRef. [3][4]
The dev forum solution appears to be to send the credentials over some IPC, which would definitely be XPC in our case ([3], [4]). However, sending the session token over XPC in our case might lead to an annoying implementation: when the VPN is started it first must wait for yet another message containing the session token.
Instead, the current (hacked) solution involves just storing the session token within the NETunnelProviderProtocol.providerConfiguration dictionary. I believe the only difference between this and XPC is that this configuration is written to disk. We currently store Coder CLI tokens on disk too right now, though it'd be good to improve both situations in the future.
The text was updated successfully, but these errors were encountered:
The Network Extension requires a session token for a Coder deployment in order to function. This is (and should be) stored in the macOS Keychain.
When registering the network extension as a system VPN, a
NETunnelProviderProtocolcan be configured and passed to the network extension when it's started (viaNEPacketTunnelProvider.startTunnel).NETunnelProviderProtocol.serverAddressallows us to pass the access URL of the deployment.NETunnelProviderProtocol.passwordReferenceis described as:This field doesn't take into account the fact that the Network Extension might be a System Extension (as opposed to an app extension, used when submitting the application to the macOS/iOS App Store).
For reference, the WireGuard macOS app uses an app extension, running as the user, not root. It's able to pass a keychain reference to that app extension after modifying the item's keychain ACL.
In our case, there's a few problems:
Programs that run outside of the user context (such as our NE, running as root), cannot use the data protection keychain. [1] [2]
passwordReferenceto pass a keychainpersistentRef. [3] [4]The dev forum solution appears to be to send the credentials over some IPC, which would definitely be XPC in our case ([3], [4]). However, sending the session token over XPC in our case might lead to an annoying implementation: when the VPN is started it first must wait for yet another message containing the session token.
Instead, the current (hacked) solution involves just storing the session token within the
NETunnelProviderProtocol.providerConfigurationdictionary. I believe the only difference between this and XPC is that this configuration is written to disk. We currently store Coder CLI tokens on disk too right now, though it'd be good to improve both situations in the future.The text was updated successfully, but these errors were encountered: