Whose computer is it? #

Patrick Wardle highlighted a tweet by Maxwell ("Some Apple apps bypass some network extensions and VPN Apps. Maps for example can directly access the internet bypassing any NEFilterDataProvider or NEAppProxyProviders you have running"), sparking an extensive HN discussion on Apple's ham-fisted tactics (not unlike Google's recent behavior).

A search for "NEFilterDataProvider" turned up David Dudok de Wit's post fingering the ContentFilterExclusionList key in /System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist as the culprit. The default list includes 56 Apple apps and daemons like App Store, MusicLibrary, softwareupdated, etc.:

/usr/libexec/findmydeviced
/usr/libexec/mobileassetd
/System/Library/CoreServices/Software Update.app/Contents/Resources/softwareupdated
/System/Library/PrivateFrameworks/AssistantServices.framework/Versions/A/Support/assistantd
/System/Library/PrivateFrameworks/CoreParsec.framework/parsecd
/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstored
/System/Library/PrivateFrameworks/AppStoreDaemon.framework/Support/appstoreagent
/System/Applications/App Store.app/Contents/MacOS/App Store
/System/Library/PrivateFrameworks/ApplePushService.framework/apsd
/System/Library/PrivateFrameworks/CloudKitDaemon.framework/Support/cloudd
/System/Library/PrivateFrameworks/IDS.framework/identityservicesd.app/Contents/MacOS/identityservicesd
/System/Library/PrivateFrameworks/IMCore.framework/imagent.app/Contents/MacOS/imagent
/System/Library/PrivateFrameworks/IDSFoundation.framework/IDSRemoteURLConnectionAgent.app/Contents/MacOS/IDSRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/IMFoundation.framework/XPCServices/IMRemoteURLConnectionAgent.xpc/Contents/MacOS/IMRemoteURLConnectionAgent
/System/Library/PrivateFrameworks/PassKitCore.framework/passd
/usr/libexec/mdmclient
/usr/libexec/teslad
/System/Library/PrivateFrameworks/GeoServices.framework/Versions/A/XPCServices/com.apple.geod.xpc/Contents/MacOS/com.apple.geod
/System/Library/PrivateFrameworks/SyncedDefaults.framework/Support/syncdefaultsd
/System/Library/CoreServices/mapspushd
/System/Library/TextInput/kbd
/System/Library/PrivateFrameworks/MapsSuggestions.framework/MapsSuggestions
/usr/sbin/securityd
/usr/libexec/locationd
/System/Library/PrivateFrameworks/AuthKit.framework/Versions/A/Support/akd
/System/Library/Frameworks/Accounts.framework/Versions/A/Support/accountsd
/usr/libexec/tailspind
/System/Library/CoreServices/cloudpaird
/usr/libexec/fmfd
/System/Library/PrivateFrameworks/HomeKitDaemon.framework/Support/homed
/System/Library/PrivateFrameworks/FamilyNotification.framework/FamilyNotification
/System/Library/PrivateFrameworks/AssetCacheServices.framework/Versions/A/XPCServices/AssetCacheLocatorService.xpc/Contents/MacOS/AssetCacheLocatorService
/System/Library/PrivateFrameworks/MusicLibrary.framework/MusicLibrary
/System/Library/PrivateFrameworks/DistributedEvaluation.framework/Versions/A/XPCServices/com.apple.siri-distributed-evaluation.xpc/Contents/MacOS/com.apple.siri-distributed-evaluation
/System/Library/PrivateFrameworks/FamilyCircle.framework/Versions/A/Resources/familycircled
/System/Library/PrivateFrameworks/MediaStream.framework/MediaStream
/usr/libexec/swcd
/usr/libexec/rtcreportingd
/usr/libexec/networkserviceproxy
/System/Library/PrivateFrameworks/MapsSupport.framework/MapsSupport
/System/Library/Frameworks/CoreTelephony.framework/Support/CommCenter
/usr/libexec/mobileactivationd
/usr/libexec/trustd
/System/Library/PrivateFrameworks/ProtectedCloudStorage.framework/Helpers/ProtectedCloudKeySyncing
/usr/libexec/siriknowledged
/usr/libexec/coreduetd
/usr/libexec/timed
com.apple.facetime
/System/Library/PrivateFrameworks/CommerceKit.framework/Resources/commerced
/System/Library/PrivateFrameworks/CommerceKit.framework/Versions/A/Resources/commerce
/usr/libexec/secd
/System/Library/PrivateFrameworks/IMTransferServices.framework/IMTransferAgent.app/Contents/MacOS/IMTransferAgent
/System/Library/PrivateFrameworks/CoreSpeech.framework/corespeechd
/System/Library/CoreServices/mapspushd
/System/Library/PrivateFrameworks/CoreLSKD.framework/Versions/A/lskdd
/usr/libexec/diagnosticd

Deleting those entries under Big Sur turned out to be rather involved; in fact, one could be forgiven for coming away with the vague suspicion that Apple would prefer them not to be disturbed:

Disable FileVault
Boot into macOS Recovery, disable SIP (csrutil disable) and SSV (csrutil authenticated-root disable), and reboot
Find the root mount device, e.g.,
% mount
/dev/disk1s5s1 on / (apfs, local, read-only, journaled) ...
% mkdir mnt
% sudo mount -o nobrowse -t apfs /dev/disk1s5 mnt/
Edit Info.plist as desired, e.g., % sudo vi mnt/System/Library/Frameworks/NetworkExtension.framework/Versions/A/Resources/Info.plist
% sudo bless --folder mnt/System/Library/CoreServices --bootefi --create-snapshot && sudo reboot

Little Snitch 5 and TripMode 3 had no problem blocking the previously-cloaked processes afterwards:

Little Snitch 5 TripMode 3

though one may well be left with a niggling doubt: should all this really be necessary to monitor your own computer's network traffic?

UPDATE 1: Hany, author of Murus and Vallum, was kind enough to reply with some testing of his own:

I did some tests and I’ve found at least one major issue on Catalina.
Removing all entries from the dictionary key seems to work for most listed processes: connections are seen by the network filter and flows are passed/blocked according to matched rules. But it does not work for at least one of the listed processes: IMTransferAgent. If you use macOS Messages.app then you may be aware that this process is used to send messages attachments.
If removed from the list, the process is always blocked. The filter provider does not see any flow for that process, and any attempt to send attachments with Messages.app will fail until you disable the filter.

UPDATE 2: The traffic of some Apple processes isn’t shown in Little Snitch 5.

UPDATE 3: Enabling Little Snitch 4.6 kext under Big Sur

UPDATE 4: Tweet by Apple developer Russ Bishop: "Some system processes bypassing NetworkExtensions in macOS is a bug, in case you were wondering." and some replies:

Matt Greenfield: "Public bug tracker would make it easier to believe too. Lack of transparency breeds lack of trust."
David Dudok de Wit: "Glad to see it's being reconsidered as a bug, because Apple told us it 'behaves as designed' (FB7740671 + FB7665551). And why is there an exclusion list in the first place? I'd love to know more and see this documented."
Sérgio Silva: "Yes. A bug with its own configuration file /System/Library/Frameworks/NetworkExtension.framework/Resources/Info.plist ContentFilterExclusionList"

UPDATE 5: Exclusions Blaster

UPDATE 6: Hooray, no more ContentFilterExclusionList

/mac | Oct 21, 2020

Subscribe or visit the archives.