Endpoint message for Internet connections?

Reviewing the endpoint header files (ESMessage.h), I see an event type for UNIX-domain socket connections (es_event_uipc_connect_t) but no equivalent for a TCP/IP connection.


Can we not get TCP/IP related events in an endpoint monitor?



From ESMessage.h:


/**

* Union of all possible events that can appear in an es_message_t

*/

typedef union {

...

es_event_uipc_bind_t uipc_bind;

es_event_uipc_connect_t uipc_connect;

} es_events_t;





/**

* @brief Fired when a UNIX-domain socket is about to be connected.

*

* @field file Describes the socket file that the socket is bound to.

* @field domain The cmmunications domain of the socket (see socket(2)).

* @field type The type of the socket (see socket(2)).

* @field protocol The protocol of the socket (see socket(2)).

*/

typedef struct {

es_file_t * _Nullable file;

int domain;

int type;

int protocol;

uint8_t reserved[64];

} es_event_uipc_connect

Up vote post of THeberlein Down vote post of THeberlein
737 views
Posted by
THeberlein
Reply
Add a Comment

Replies

Can we not get TCP/IP related events in an endpoint monitor?

You’d use a NetworkExtension system extension for this, no?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Post not yet marked as solved Up vote reply of eskimo Down vote reply of eskimo
Add a Comment
As Quinn suggests, using the NetworkExtension framework is the proper way to handle network-related operations. EndpointSecurity intentionally does not provide these events (except for some related to UNIX domain sockets as you've already found).

Also in case you're unaware, it is possible to use both the NetworkExtension and EndpointSecurity frameworks from a single system extension.
Posted by
Security Engineer
Post not yet marked as solved Up vote reply of Security Engineer Down vote reply of Security Engineer
Add a Comment