Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How the ES communicate with a normal Mac app #37

Closed
E6ren opened this issue Jul 30, 2024 · 2 comments
Closed

How the ES communicate with a normal Mac app #37

E6ren opened this issue Jul 30, 2024 · 2 comments

Comments

@E6ren
Copy link

E6ren commented Jul 30, 2024

I'm developing an app that allows the ES to control file access based on a regular app configuration. When the ES monitors a file open request, it needs to communicate with the regular app through IPC in order to evaluate and decide whether to allow user access to this file.

Therefore, there is a need for IPC from the ES to the normal app (which is not sandbox protected). I noticed that Red Canary can display events fetched by ES, so I assume there should also be IPC communication.

Can you provide some help with this? I tried using CFMessagePort, but it always returns nil when the ES tries to get the remote message port.

@Brandon7CC
Copy link
Contributor

Hi @E6ren!

Great question -- hope I can help! Are your ES client(s) implemented as a System Extension / Launch Daemon? I'd strongly recommend using XPC it's the suggested approach in most cases (e.g. performance and security). Make sure you have the NSEndpointSecurityMachServiceName set in your Info.plist w/your service name. Also, see the man page for ES at: man EndpointSecurity which speaks to this:

EndpointSecurity(7)                                                               Miscellaneous Information Manual                                                               EndpointSecurity(7)

NAME
     EndpointSecurity – APIs for applications to implement system security policy

DESCRIPTION
     The EndpointSecurity (ES) subsystem is a set of functionality to expose security relevant system events to applications (ES clients).  ES clients can either be standalone
     applications/executables or installed as system extensions.

     If the ES client is a system extension, the following optional keys can be set in the bundle's Info.plist:

     ...

     NSEndpointSecurityMachServiceName
              Type: String

              If set, this string will be the name of the MachService which can be used for XPC between the ES extension and its app.  If not set, a default mach service (name:
              <teamID>.<bundleID>.xpc) will be provided but its usage is deprecated.

To get a good idea of how to implement the XPC end of it check out Apple's Network Extension sample code: "Filtering Network Traffic" for a "SimpleFirewall" which does exactly this (although in ObjC):
https://developer.apple.com/documentation/networkextension/filtering_network_traffic

A bit more background I referenced was found here as well:
https://developer.apple.com/library/archive/documentation/MacOSX/Conceptual/BPSystemStartup/Chapters/CreatingXPCServices.html

Screen Shot 2022-10-11 at 11 40 10 AM

@E6ren
Copy link
Author

E6ren commented Sep 26, 2024

Thanks @Brandon7CC for your detailed answer. I can now use XPC to establish IPC !

@E6ren E6ren closed this as completed Sep 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants