`fetchContents(for:version:request:completionHandler:)` get the requesting executable name

I was successfully able to get the callback for file reads for the files in my mounted folder. Now we need to implement some read protection on top of that, we need to only allow some specific applications to access the data through the File provider.

for that, we need to get the name or any information regarding the Application that requested the read. one thing I've seen is the request.requestingExecutable , which is coming nil for all the applications trying to read the files in the mounted folder. But i do get applications name for the things done by finder (drag&drop and Copy paste) .

What are the ways I can get the reading Application names ?

and what could be done for implementing data leak features working in pair with the File Provider Extension ?

Up vote post of debasish_nandi Down vote post of debasish_nandi
405 views
Posted by
debasish_nandi
Reply
Add a Comment

Replies

Please file a duplicate for FB13625361.

The requestingExecutable feature is only available in managed scenarios, for privacy reasons. Please refer to https://developer.apple.com/documentation/devicemanagement/fileprovider?language=objc

Posted by
dkocher
Post not yet marked as solved Up vote reply of dkocher Down vote reply of dkocher
Add a Comment

Your NSFileProviderReplicatedExtension is not an effective point of access control for files. It will only be invoked when a non-downloaded file is requested.

Access to files within a FileProvider domain is managed by the Privacy & Security settings in the macOS System Settings app. The user is able to grant apps access to a given FileProvider domain.

To illustrate, imagine:

  • the user grants access to your FileProvider domain, to apps Foo and Bar
  • app Foo reads a non-downloaded file, "sample.txt"
  • Your extension thinks app Foo should be allowed to access the file, so you provide the file contents on the completion handler to fetchContents
  • app Bar reads the same "sample.txt" file, now downloaded
  • Your extension will not be invoked at this point. As long as the user granted access for the app to access your domain's files, the app will be able to read the already-downloaded file on the filesystem, without your extension being involved.

I believe a better extension point to implement such functionality would be Endpoint Security. See: https://developer.apple.com/documentation/endpointsecurity?language=objc

Posted by
clenart
Post not yet marked as solved Up vote reply of clenart Down vote reply of clenart
Add a Comment