[NEFilterDataProvider] Filter flows for some application

Hello,

I'm using an NEFilterDataProvider to filter the HTTP/S flow of applications (based on bundleId). With the help of this forum, I can now retrieve the bundleId of the application's flow from the audit_token (sourceAppAuditToken). Unfortunately, for some applications (e.g., Safari), I get the bundleId of the isolated process that uses WebKit, but I would like to retrieve the bundleId of the responsible process (Safari).

My current solution is to obtain the responsible PID of the WebKit process and then retrieve the bundleId from this PID (SecCodeCopyGuestWithAttributes).

What is the correct way to get the bundleId of the responsible process?

Up vote post of Mox Down vote post of Mox
311 views
Posted by
Mox
Reply
Add a Comment

Accepted Reply

I presume we’re talking macOS here.

based on bundleId

Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder, for example.

A better option is to use the code signing designated requirement. See TN3127 Inside Code Signing: Requirements.

What is the correct way to get the bundleId of the responsible process?

Responsible process tracking is a tricky business. NE does not provide a direct mechanism for you to get the responsible process for a flow. If you’d like to see that change, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On macOS. The story is different on iOS and its child platforms.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

Replies

I presume we’re talking macOS here.

based on bundleId

Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder, for example.

A better option is to use the code signing designated requirement. See TN3127 Inside Code Signing: Requirements.

What is the correct way to get the bundleId of the responsible process?

Responsible process tracking is a tricky business. NE does not provide a direct mechanism for you to get the responsible process for a flow. If you’d like to see that change, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On macOS. The story is different on iOS and its child platforms.

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Post marked as solved
Add a Comment

I presume we’re talking macOS here.

You're totally right. I forgot to this crucial precision, my bad.

Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder, for example.

Thank you for the advice. For now, my application is simply filtering some web content from browsers. I thought that identifying browsers from a bundleId was largely sufficient here.

I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

Here is the suggestion number FB13511360.

It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token property.

It is. I quickly obtained the 'Endpoint Security client' capability for development. However, acquiring it for production seems to be more challenging, and I'm uncertain whether I can rely on obtaining it before my app is ready.

Thank you for your answers.

Posted by
Mox
Up vote reply of Mox Down vote reply of Mox

  • Thanks for filing FB13511360.

    eskimo
Add a Comment