Hi,
I am studying of Network Extension to filter network traffic on OSX 10.15 beta version.
I can run the demo on
https://developer.apple.com/documentation/networkextension/filtering_network_traffic
But when I try to filter the outbound stream, I can't get the info of which process setup the new flow in handleNewFlow function.
I need the process info to decide whether to do the following filter.
Is there any method to get the process info?
I noticed that there is a sourceAppIdentifier property for NEFilterFlow in the document, but it seems no such property in real.
And there is a sourceAppAuditToken property, how can I get the process info from this property?
Thank you very much!
I want to get the PID's binary's path with PID (I can use
API in kernel to get it with socket filter, and then get it's binary's path).proc_selfpidIf the path match the setting, I can decide to filter it or let it go.
OK, so, to be clear, this is an example of what you’re currently doing, and you’re looking for info on how to do the equivalent in a NetworkExtension world, right?
If so,
sourceAppAuditTokenSecCodeCopyGuestWithAttributeskSecGuestAttributeAuditSecCodeIMPORTANT One of those routines is
SecCodeCopyPathSecCodeCopySigningInformationSecCodeCopyDesignatedRequirementIf a command line tool is accessing the network (such as curl), can I get this
?sourceAppAuditToken
Yes. All code on our system is signed, and signed code always has a designated requirement (DR). For example, the DR for
curl$ codesign -d --requirements - `which curl`
Executable=/usr/bin/curl
designated => identifier "com.apple.curl" and anchor appleIf an unsigned command line tool is accessing the network, can I also get this
?sourceAppAuditToken
Yes, but you won’t be able to map this to a code signature as explained above because the code is not signed. My recommendation is that you simply block all unsigned code.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"