I'm working on a FilterDataProvider network extension that works in conjunction with our global proxy app. Traffic that is bound for the proxy does not pass through the extension but outbound traffic from the proxy does.
This outbound traffic needs to be identified so that we don't attempt to filter it. I have code that will convert the sourceAppAuditToken into a bundle ID but the call to SecCodeCopyGuestWithAttributes fails because the sourceAppAuditToken does not contain a value. Here's an excerpt from the logs:
09:27:01.972400 (0): Flow 687496262 is connecting com.apple.networkextension
09:27:01.972655 (687496262): New flow: NEFlow type = stream, app = proxyApp, name = , 192.168.1.170:0 <-> 13.107.136.9:443, filter_id = D89B5B5D-793C-4940-77D4-60DF35207800, interface = en0 com.apple.networkextension
09:27:01.973080 [Extension com.sophos.endpoint.network]: Calling handleNewFlow with TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension
09:27:01.973873 [Extension com.sophos.endpoint.network]: provider rejected new flow TCP proxyApp[{length = 20, bytes = 0x4bf6e2f6f76b530341761afce6c7d0c01330af54}] remote: 13.107.136.9:443 interface en0 com.apple.networkextension
09:27:01.974305 (687496262): Destroying, client tx 0, client rx 0, kernel rx 0, kernel tx 0 com.apple.networkextension
09:27:01.978701 UUID cache generation changed from 18791 to 18792 com.apple.networkextension
09:27:01.979738 Failed to find proxyApp in LaunchServices com.apple.networkextension
09:27:01.980046 Failed to find proxyApp using neagent com.apple.networkextension
09:27:01.980610 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension
09:27:01.980664 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension
09:27:01.983949 Setting UUID cache generation to 18793 com.apple.networkextension
09:27:01.986451 Could not find app info, return the original flow without filling in app info com.apple.networkextension
09:27:01.988775 UUID cache generation changed from 18792 to 18793 com.apple.networkextension
09:27:01.989725 Failed to find proxyApp in LaunchServices com.apple.networkextension
09:27:01.989808 Failed to find proxyApp using neagent com.apple.networkextension
09:27:01.990073 +[NEProcessInfo copyUUIDsForFatBinary:]: failed to get uuid for offset 16384 com.apple.networkextension
09:27:01.990113 +[NEProcessInfo copyUUIDsForExecutable:]_block_invoke: failed to get UUIDs for /usr/local/bin/proxyApp com.apple.networkextension
09:27:01.991891 Setting UUID cache generation to 18794 com.apple.networkextension
09:27:01.992283 Could not find app info, return the original flow without filling in app info com.apple.networkextension
09:27:01.992567 D89B5B5D-793C-4940-77D4-60DF35207800
identifier = D89B5B5D-793C-4940-77D4-60DF35207800
procPID = 97466
eprocPID = 97466
direction = outbound
inBytes = 0
outBytes = 0
signature = 32:{length = 32, bytes = 0xdb48e494 a3048ed1 b5a3d7e7 86425239 ... 2e0bb61f 66820ed3 }
socketID = 782035df60d477
localEndpoint = 0.0.0.0:0
remoteEndpoint = 13.107.136.9:443
protocol = 6
family = 2
type = 1
procUUID = 00000000-0000-0000-0000-000000000000
eprocUUID = 00000000-0000-0000-0000-000000000000 (no token)
I'm running on Apple Silicon. My extension is built for arm64 and x86_64. My proxy app is a unix executable with no bundle and is also built for both architectures and signed. I realize that I'm probably not going to be able to get a bundle ID from it but I don't even have an audit token to start.
Is there another way to identify flows from specific processes?