- Notifications
You must be signed in to change notification settings - Fork3
Description
The Network Extension requires a session token for a Coder deployment in order to function. This is (and should be) stored in the macOS Keychain.
When registering the network extension as a system VPN, aNETunnelProviderProtocol can be configured and passed to the network extension when it's started (viaNEPacketTunnelProvider.startTunnel).NETunnelProviderProtocol.serverAddress allows us to pass the access URL of the deployment.
NETunnelProviderProtocol.passwordReference is described as:
a persistent reference to a keychain item with the kSecClassGenericPassword class.
This field doesn't take into account the fact that the Network Extension might be a System Extension (as opposed to an app extension, used when submitting the application to the macOS/iOS App Store).
For reference, the WireGuard macOS app uses an app extension, running as the user, not root. It's able to pass a keychain reference to that app extension after modifying the item's keychain ACL.
In our case, there's a few problems:
- Whilst, Keychain Access Groups exist to share keychain items between multiple sandboxed applications, they require all apps use the data protection keychain (as opposed to the file-based keychain).
Programs that run outside of the user context (such as our NE, running as root), cannot use the data protection keychain.[1][2] - File-based keychains are accessible from both users and the network-extensions. However, the sandboxed application is only capable of writing to the user keychain, and the network extension is only capable of reading from the system keychain. The application would need elevated permissions to write to the system keychain, and use
passwordReferenceto pass a keychainpersistentRef.[3][4]
The dev forum solution appears to be to send the credentials over some IPC, which would definitely be XPC in our case ([3], [4]). However, sending the session token over XPC in our case might lead to an annoying implementation: when the VPN is started it first must wait for yet another message containing the session token.
Instead, the current (hacked) solution involves just storing the session token within theNETunnelProviderProtocol.providerConfiguration dictionary. I believe the only difference between this and XPC is that this configuration is written to disk. We currently store Coder CLI tokens on disk too right now, though it'd be good to improve both situations in the future.