Endpoint message for Internet connections?

Question

Created Nov ’19

Replies 2

Boosts 0

Participants 3

Reviewing the endpoint header files (ESMessage.h), I see an event type for UNIX-domain socket connections (es_event_uipc_connect_t) but no equivalent for a TCP/IP connection.

Can we not get TCP/IP related events in an endpoint monitor?

From ESMessage.h:

/**

* Union of all possible events that can appear in an es_message_t

*/

typedef union {

...

es_event_uipc_bind_t uipc_bind;

es_event_uipc_connect_t uipc_connect;

} es_events_t;

/**

* @brief Fired when a UNIX-domain socket is about to be connected.

*

* @field file Describes the socket file that the socket is bound to.

* @field domain The cmmunications domain of the socket (see socket(2)).

* @field type The type of the socket (see socket(2)).

* @field protocol The protocol of the socket (see socket(2)).

*/

typedef struct {

es_file_t * _Nullable file;

int domain;

int type;

int protocol;

uint8_t reserved[64];

} es_event_uipc_connect

Boost

Answer 1

DTS Engineer OP

Apple

Nov ’19

Can we not get TCP/IP related events in an endpoint monitor?

You’d use a NetworkExtension system extension for this, no?

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

1

Answer 2

Security Engineer OP

Apple

Jun ’20

As Quinn suggests, using the NetworkExtension framework is the proper way to handle network-related operations. EndpointSecurity intentionally does not provide these events (except for some related to UNIX domain sockets as you've already found).

Also in case you're unaware, it is possible to use both the NetworkExtension and EndpointSecurity frameworks from a single system extension.

1