Block Application access to network via a Cocoa API (LittleSnitch APIs)?

Question

I am using OS X 10.5 and I am looking for a way to detect if an application attempts to access the Internet. At this point I would like to block the application if it matches a set of rules that I will define.

There is the ipfw Unix command that I realise can be used to block access to certain ports, but that affects ALL applications. I read the man pages and didn't see a way to use ipfw to block access but limit it to a specific application.

My main problem lies in detecting which application that is trying to gain outside access to the network. Programmatically there must be a way to do this, whether is it by using some Mac OS X API or Unix command how can this be accomplished?

Update: Essentially I want to do what Little Snitch does, but i want to write it from scratch myself because I don't like Little Snitch. I just need to know what API's can let me accomplish the application network sandboxing and how exactly does Little Snitch do this?

Answer 1

If you are targeting OS X 10.5 (Leopard), you can use the sandboxing API. sandbox_init is probably a good place to start; you can use the kSBXProfileNoInternet option to stop Internet access.

There is also a more detailed article here which gives some examples of more fine-grained control using the Seatbelt extensions.

Answer 2

The Application Firewall in Mac OS X 10.5 does something similar, but currently Apple only supports using it to allow/block specific applications from accepting incoming connections. This is done through a kernel extension, which is controlled through the daemon /usr/libexec/ApplicationFirewall/socketfilterfw, which in turn is configured using the Firewall Preferences pane.

Answer 3

Sorry, the question doesn't make it clear if you want to write your own program to solve this need, or if you're simply asking if there's any program already out there to fill the same role.

If it's the latter, then Little Snitch does exactly what you ask. It will tell you which application is trying to access the outside internet, and give you the options of whether to allow the access or to deny it based on a rules set. It's not fully automatic though.

Answer 4

I realize this is a year late, but I was digging for something similar and came across what I think is the answer. Hopefully this could help someone else down the line.

Little Snitch appears to use Network Kernel Extensions to filter traffic coming into the system. I've validated this by discovering it installs a kernel extension on the box:

[~] kextstat
...
55 0 0x687000 0x2b000 0x2a000 at.obdev.nke.LittleSnitch (2.0.46) <7 6 5 4 2>
...

If you programmatically wish to prevent network access to another application, this seems to be your best bet. If you simply want to monitor network usage by other apps, however, you have other options, like libpcap.