NEFilterSocketFlow.sourceAppAuditToken always nil?

App & System Services Core OS
ariava
ariava OP
Created Nov ’20
Replies 3
Boosts 0
Views 759
Participants 2
Hi,

I am trying to access the sourceAppAuditToken field of NEFilterSocketFlow so that I can cast it to an audit_token_t and retrieve information about the process involved in the netflow.

I always find that NEFilterSocketFlow.sourceAppAuditToken is nil.
Is this expected? Is sourceAppAuditToken populated for socket flows?

Thanks in advance for your help!
Arianna Avanzini
Replies  3
Boosts  0
Views  759
Participants  2
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Nov ’20
This does not surprise me. If you try and directly access the token from NEFilterFlow in handleNewFlow does this improve your situation any?

Code Block swift
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
    )
    if let sourceAppAuditToken = flow.sourceAppAuditToken,
        ...
    } 
    guard let socketFlow = flow as? NEFilterSocketFlow,
        let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint,
        let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else {
            ...
    }
    ...
}



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
ariava
ariava OP
Nov ’20
Hey, thanks for your answer! Yeah, that seems to work!

I was getting the NEFilterSocketFlow from the NEFilterReport in handleReport() before, and in that one, sourceAppAuditToken is nil. Is that not guaranteed to be initialized when passed on to handleReport() or am I doing something wrong?

Thanks!
Arianna
0
Apple Staff, Systems Engineer
Systems Engineer OP
Apple
Nov ’20
No problem.

was getting the NEFilterSocketFlow from the NEFilterReport in handleReport() before, and in that one, sourceAppAuditToken is nil. Is that not guaranteed to be initialized when passed on to handleReport() or am I doing something wrong?

Double check that in handleNewFlow your logic is instructing the provider to shouldReport on the NEFilterNewFlowVerdict.

Code Block swift
override func handle(_ report: NEFilterReport) {
    
    if let flow = report.flow {
        /* Take a look at flow.description here */
    }
    ...
}
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
    
    ...
    let verdict: NEFilterNewFlowVerdict = .allow()
    verdict.shouldReport = true
    return verdict
}



Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
NEFilterSocketFlow.sourceAppAuditToken always nil?
First post date Last post date
 
 
Q