How to get Process Name from flow object of FilterDataProvider.

App & System Services Networking
nagendrar OP
Created Jan ’21
Replies 1
Boosts 0
Views 412
Participants 2
Hi,
I have Simple Firewall example which is using FilterDataProvider. I have enabled socket level filtering. I want get the process name of event in handleNewFlow().

Following is the sample example handleNewFlow() API:
Code Block 
override func handleNewFlow(_ flow: NEFilterFlow) -> NEFilterNewFlowVerdict {
    guard let socketFlow = flow as? NEFilterSocketFlow,          
        let remoteEndpoint = socketFlow.remoteEndpoint as? NWHostEndpoint,          
        let localEndpoint = socketFlow.localEndpoint as? NWHostEndpoint else {               
            return .allow()       
    }       
}

Please help me to get process name.
Replies  1
Boosts  0
Views  412
Participants  2
Systems Engineer OP
Apple
Jan ’21
If you are able to get the flow's sourceAppAuditToken you can try to use audit_token_to_pid to get the pid. Make sure to link against libbsm if you do. If you get the sourceAppAuditToken you can also try and get the bundle id by going the SecCodeCopySigningInformation route and getting the bundle id from the signing info.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
0
How to get Process Name from flow object of FilterDataProvider.
First post date Last post date
 
 
Q