问题
I am using OS X 10.5 and I am looking for a way to detect if an application attempts to access the Internet. At this point I would like to block the application if it matches a set of rules that I will define.
There is the ipfw Unix command that I realise can be used to block access to certain ports, but that affects ALL applications. I read the man pages and didn't see a way to use ipfw to block access but limit it to a specific application.
My main problem lies in detecting which application that is trying to gain outside access to the network. Programmatically there must be a way to do this, whether is it by using some Mac OS X API or Unix command how can this be accomplished?
Update: Essentially I want to do what Little Snitch does, but i want to write it from scratch myself because I don't like Little Snitch. I just need to know what API's can let me accomplish the application network sandboxing and how exactly does Little Snitch do this?
回答1:
I realize this is a year late, but I was digging for something similar and came across what I think is the answer. Hopefully this could help someone else down the line.
Little Snitch appears to use Network Kernel Extensions to filter traffic coming into the system. I've validated this by discovering it installs a kernel extension on the box:
[~] kextstat
...
55 0 0x687000 0x2b000 0x2a000 at.obdev.nke.LittleSnitch (2.0.46) <7 6 5 4 2>
...
If you programmatically wish to prevent network access to another application, this seems to be your best bet. If you simply want to monitor network usage by other apps, however, you have other options, like libpcap.
回答2:
If you are targeting OS X 10.5 (Leopard), you can use the sandboxing API. sandbox_init is probably a good place to start; you can use the kSBXProfileNoInternet option to stop Internet access.
There is also a more detailed article here which gives some examples of more fine-grained control using the Seatbelt extensions.
回答3:
The Application Firewall in Mac OS X 10.5 does something similar, but currently Apple only supports using it to allow/block specific applications from accepting incoming connections. This is done through a kernel extension, which is controlled through the daemon /usr/libexec/ApplicationFirewall/socketfilterfw, which in turn is configured using the Firewall Preferences pane.
回答4:
There is no way a user space process is able to do what you describe. I suppose not even processes running as root. Remember: We're not running Windows here. And even if so, you should probably not expect Cocoa to support it. Cocoa is for the GUI-easy-to-use stuff of Mac OS X. Not for low-level system development.
The only way to accomplish what you describe, is to extend the kernel, which is what Little Snitch does. If there was some other clever way, I assure you Little Snitch would have done it differently. Kernel extensions are not for faint of hearted. When a kernel extension crash, the whole system crashes. So you better know what you do.
You are able, though, to get information on processes and their sockets from user space, but not using Cocoa. And only user's own processes, if your application is not running as root. You need to use libproc, which is not documented by Apple. You'll have to figure out how lsof does it. And your still not able to tamper with what you get.
I guess your better of just using Little Snitch. The overhead added by Little Snitch is marginally small and I promise you, you won't feel the difference. It merely hold back the socket connection, until a decision has been made - by you or the software.
If, though, you should still feel tempted to write your own kernel extensions, The Network Kernel Extension Programming Guide from Apple is what you need. The section on "Socket Filters" describes the interfaces Little Snitch uses.
回答5:
Sorry, the question doesn't make it clear if you want to write your own program to solve this need, or if you're simply asking if there's any program already out there to fill the same role.
If it's the latter, then Little Snitch does exactly what you ask. It will tell you which application is trying to access the outside internet, and give you the options of whether to allow the access or to deny it based on a rules set. It's not fully automatic though.
来源:https://stackoverflow.com/questions/1105896/block-application-access-to-network-via-a-cocoa-api-littlesnitch-apis