-
Notifications
You must be signed in to change notification settings - Fork 47
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How the ES communicate with a normal Mac app #37
Comments
Hi @E6ren! Great question -- hope I can help! Are your ES client(s) implemented as a System Extension / Launch Daemon? I'd strongly recommend using XPC it's the suggested approach in most cases (e.g. performance and security). Make sure you have the EndpointSecurity(7) Miscellaneous Information Manual EndpointSecurity(7)
NAME
EndpointSecurity – APIs for applications to implement system security policy
DESCRIPTION
The EndpointSecurity (ES) subsystem is a set of functionality to expose security relevant system events to applications (ES clients). ES clients can either be standalone
applications/executables or installed as system extensions.
If the ES client is a system extension, the following optional keys can be set in the bundle's Info.plist:
...
NSEndpointSecurityMachServiceName
Type: String
If set, this string will be the name of the MachService which can be used for XPC between the ES extension and its app. If not set, a default mach service (name:
<teamID>.<bundleID>.xpc) will be provided but its usage is deprecated.
To get a good idea of how to implement the XPC end of it check out Apple's Network Extension sample code: "Filtering Network Traffic" for a "SimpleFirewall" which does exactly this (although in ObjC): A bit more background I referenced was found here as well: |
Thanks @Brandon7CC for your detailed answer. I can now use XPC to establish IPC ! |
I'm developing an app that allows the ES to control file access based on a regular app configuration. When the ES monitors a file open request, it needs to communicate with the regular app through IPC in order to evaluate and decide whether to allow user access to this file.
Therefore, there is a need for IPC from the ES to the normal app (which is not sandbox protected). I noticed that Red Canary can display events fetched by ES, so I assume there should also be IPC communication.
Can you provide some help with this? I tried using CFMessagePort, but it always returns nil when the ES tries to get the remote message port.
The text was updated successfully, but these errors were encountered: