Hello,
I'm using an NEFilterDataProvider to filter the HTTP/S flow of applications (based on bundleId). With the help of this forum, I can now retrieve the bundleId of the application's flow from the audit_token (sourceAppAuditToken). Unfortunately, for some applications (e.g., Safari), I get the bundleId of the isolated process that uses WebKit, but I would like to retrieve the bundleId of the responsible process (Safari).
My current solution is to obtain the responsible PID of the WebKit process and then retrieve the bundleId from this PID (SecCodeCopyGuestWithAttributes).
What is the correct way to get the bundleId of the responsible process?
I presume we’re talking macOS here.
based on bundleId
Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder
, for example.
A better option is to use the code signing designated requirement. See TN3127 Inside Code Signing: Requirements.
What is the correct way to get the bundleId of the responsible process?
Responsible process tracking is a tricky business. NE does not provide a direct mechanism for you to get the responsible process for a flow. If you’d like to see that change, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.
It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token
property.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
[1] On macOS. The story is different on iOS and its child platforms.