[NEFilterDataProvider] Filter flows for some application

Hello,

I'm using an NEFilterDataProvider to filter the HTTP/S flow of applications (based on bundleId). With the help of this forum, I can now retrieve the bundleId of the application's flow from the audit_token (sourceAppAuditToken). Unfortunately, for some applications (e.g., Safari), I get the bundleId of the isolated process that uses WebKit, but I would like to retrieve the bundleId of the responsible process (Safari).

My current solution is to obtain the responsible PID of the WebKit process and then retrieve the bundleId from this PID (SecCodeCopyGuestWithAttributes).

What is the correct way to get the bundleId of the responsible process?

Answered by DTS Engineer in 775687022

I presume we’re talking macOS here.

based on bundleId

Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder, for example.

A better option is to use the code signing designated requirement. See TN3127 Inside Code Signing: Requirements.

What is the correct way to get the bundleId of the responsible process?

Responsible process tracking is a tricky business. NE does not provide a direct mechanism for you to get the responsible process for a flow. If you’d like to see that change, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On macOS. The story is different on iOS and its child platforms.

Accepted Answer

I presume we’re talking macOS here.

based on bundleId

Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder, for example.

A better option is to use the code signing designated requirement. See TN3127 Inside Code Signing: Requirements.

What is the correct way to get the bundleId of the responsible process?

Responsible process tracking is a tricky business. NE does not provide a direct mechanism for you to get the responsible process for a flow. If you’d like to see that change, I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token property.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] On macOS. The story is different on iOS and its child platforms.

I presume we’re talking macOS here.

You're totally right. I forgot to this crucial precision, my bad.


Don’t use the bundle ID to identify a program in a security context. You can’t trust it [1]. There’s nothing stopping someone from creating an app with the bundle ID of com.apple.finder, for example.

Thank you for the advice. For now, my application is simply filtering some web content from browsers. I thought that identifying browsers from a bundleId was largely sufficient here.


I encourage you to file an enhancement request describing your requirements. Please post your bug number, just for the record.

Here is the suggestion number FB13511360.


It’s common for macOS NE filter providers to be paired with an Endpoint Security client. Is that the case for your product? If so, you can use the ES client to track process responsibility via its responsible_audit_token property.

It is. I quickly obtained the 'Endpoint Security client' capability for development. However, acquiring it for production seems to be more challenging, and I'm uncertain whether I can rely on obtaining it before my app is ready.

Thank you for your answers.

[NEFilterDataProvider] Filter flows for some application
 
 
Q