recommended way of determining the user who initiated a network flow handled by a NEFilterDataProvider

For a network extension that is doing content-filtering with a NEFilterDataProvider provider class, what is the recommended way of determining the user whose activity initiated the flow being examined to allow or block?

Or in other words, if I'm building an internet safety app on a multi-user device, there might be a parent (admin) user who should not have any of their network traffic blocked, while a non-admin user should be subject to blocked requests. But, because the sysex runs as root (and is active no matter who is logged in), how do I determine what the source user of the flow is?

Or am I thinking about it wrong?

Is there an approved/idiomatic way of building a content filter so that it can be intelligent enough to block traffic for certain users, but not for others?

From the raw flow I can get access to the pid, which seems like should be traceable to the owning user somehow, but I couldn't find a straightforward API to do that.

Any help would be greatly appreciated!
Answered by DTS Engineer in 670877022

when I try to build I get:

Undefined symbol: _audit_token_to_ruid

You need to link with libbsm.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

From the raw flow I can get access to the pid, which seems like should be traceable to the owning user somehow, but I couldn't find a straightforward API to do that.

If you can get access to the pid via the sourceAppAuditToken then take a look at audit_token_to_ruid() out in Darwin.


Matt Eaton
DTS Engineering, CoreOS
meaton3@apple.com
@meaton Thanks for this, I appreciate it. I'm still struggling to implement this. I'm having a hard time finding ANY documentation for audit_token_to_ruid, so I'm fumbling in the dark a bit here.

I did find this thread, and so I'm trying code like this:

Code Block swift
private func auditTokenT(_ token: Data?) -> audit_token_t? {
 guard
   let token = token,
   token.count == MemoryLayout<audit_token_t>.size
  else { return nil }
  
  return token.withUnsafeBytes { buf in
   buf.baseAddress!.assumingMemoryBound(to: audit_token_t.self).pointee
 }
}
/* ... */
let token = auditTokenT(flow.sourceAppAuditToken) /* `flow` is a NEFilterFlow */
let ruid = audit_token_to_ruid(token)


With this code, Xcode is not showing any compiler errors or warning, but when I try to build I get:

Code Block
Undefined symbol: _audit_token_to_ruid


I tried importing Darwin, Darwin.bsm, but no dice. Do I have to do something special for this function to be available? If so, would you mind explaining what it would be?
Accepted Answer

when I try to build I get:

Undefined symbol: _audit_token_to_ruid

You need to link with libbsm.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
recommended way of determining the user who initiated a network flow handled by a NEFilterDataProvider
 
 
Q