How to match XPC Service against initiator process? (Network Kernel Extension)

Question

Created Mar ’16

Replies 3

Boosts 0

Participants 2

I'm writing a Kernel Extension Socket Filter for Mac which should be able to block internet access for certain Applications.

If any process starts a new TCP socket, this Socket Filter gets attached and internet access is either granted or blocked based on the process' selfname.

Example: In order to block internet access for Safari, I tell my Kernel Extension to block all TCP Sockets if the process' selfname is 'Safari'.

It works well for the 'Safari' process, but the problem is that Safari gets internet access via XPC Service ("Safari Networking", resp. "com.apple.WebKit").

How can my Kernel Extension know that "com.apple.WebKit" is related and communicates to Safari? Using the parent process does not work because it is "launchd" for all XPC Services.

Boost

Answer 1

DTS Engineer OP

Apple

Mar ’16

There is, alas, no supported way to do this. I researched this a while back as part of a DTS incident (s. 600,057,819). The system has a ‘responsibility’ mechanism that it uses to track the relationships between processes (you can see the results of this in Activity Monitor) but the API for this is not public (r. 14,860,959).

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

nicojerome OP

Mar ’16

Do you have any idea how Little Snitch could do this?

0

Answer 3

DTS Engineer OP

Apple

Apr ’16

Do you have any idea how Little Snitch could do this?

No. I try to stay out of the business of reverse engineering developers’ apps, for reasons I’m sure you’ll understand. As far as supported APIs, I stand by previous post: there’s no supported way to do this.

You could always ask the Objective Development folks directly.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0