-
Notifications
You must be signed in to change notification settings - Fork 42
/
audit_lookup.h
39 lines (37 loc) · 1.16 KB
/
audit_lookup.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
#import <Foundation/Foundation.h>
#ifdef API_UNAVAILABLE
#undef API_UNAVAILABLE
#endif
#define API_UNAVAILABLE(...)
#import <bsm/libbsm.h>
#import <libproc/libproc.h>
static bool audit_lookup_by_pid(pid_t pid, NSString **bundleIdentifier, NSString **displayName)
{
char path[PROC_PIDPATHINFO_MAXSIZE];
if (proc_pidpath(pid, path, sizeof(path)) > 0) {
NSBundle *bundle = [NSBundle bundleWithPath:[[NSString stringWithUTF8String:path] stringByDeletingLastPathComponent]];
if (bundle) {
if (bundleIdentifier) {
*bundleIdentifier = [bundle bundleIdentifier];
}
if (displayName) {
NSString *result = [bundle objectForInfoDictionaryKey:@"CFBundleDisplayName"];
if (!result) {
result = [bundle objectForInfoDictionaryKey:@"CFBundleName"];
if (!result) {
result = [bundle bundleIdentifier];
}
}
*displayName = result;
}
return true;
}
}
return false;
}
static bool audit_lookup_by_token(audit_token_t token, NSString **bundleIdentifier, NSString **displayName)
{
pid_t pid = 0;
audit_token_to_au32(token, NULL, NULL, NULL, NULL, NULL, &pid, NULL, NULL);
return audit_lookup_by_pid(pid, bundleIdentifier, displayName);
}