I have struggled enough to drive (collect data from multiple sources) pid, gid, uid, process name out from flow metadata 'sourceAppAuditToken'. I will be really glad if below code would save time for others. I have computed said parameters for NEAppProxyTCPFlow but same cvan be done for 'NEFilerFlow::sourceAppAuditToken':
extension NEAppProxyTCPFlow
{
private var sourceAppAuditTokenQ: audit_token_t? {
guard
let tokenData = self.metaData.sourceAppAuditToken,
tokenData.count == MemoryLayout<audit_token_t>.size
else { return nil }
return tokenData.withUnsafeBytes { buf in
buf.baseAddress!.assumingMemoryBound(to: audit_token_t.self).pointee
}
}
var pid: pid_t {
return audit_token_to_pid(sourceAppAuditTokenQ!)
}
var uid: uid_t {
return audit_token_to_ruid(sourceAppAuditTokenQ!)
}
var gid: gid_t {
return audit_token_to_rgid(sourceAppAuditTokenQ!)
}
var processPath: String? {
var codeQ: SecCode? = nil
var err = SecCodeCopyGuestWithAttributes(nil, [kSecGuestAttributeAudit: self.metaData.sourceAppAuditToken as Any] as NSDictionary, [], &codeQ)
guard err == errSecSuccess else {
return nil
}
let code = codeQ!
var staticCodeQ: SecStaticCode? = nil
err = SecCodeCopyStaticCode(code, [], &staticCodeQ) // Convert that to a static code.
guard err == errSecSuccess else {
return nil
}
let staticCode = staticCodeQ!
var pathCodeQ: CFURL?
err = SecCodeCopyPath(staticCode, SecCSFlags(rawValue: 0), &pathCodeQ);
guard err == errSecSuccess else {
return nil
}
let posixPath = CFURLCopyFileSystemPath(pathCodeQ, CFURLPathStyle.cfurlposixPathStyle);
let posixPathStr: String = (posixPath! as NSString) as String
//strdup(CFStringGetCStringPtr(posixPath, CFStringBuiltInEncodings.UTF8.rawValue));
return posixPathStr
}
}
enjoy!!!