Struct Process

pub struct Process<'a> { /* private fields */ }

Available on macOS only.

Information related to a process.

Implementations

impl<'a> Process<'a>

pub const fn new(raw: &'a es_process_t, version: u32) -> Self

Create a new Process instance.

pub fn audit_token(&self) -> AuditToken

Audit token of the process.

pub fn ppid(&self) -> pid_t

Parent pid of the process.

Warning: It is recommended to instead use Self::parent_audit_token() when available.

pub fn original_ppid(&self) -> pid_t

Original ppid of the process.

pub fn group_id(&self) -> pid_t

Process group id the process belongs to.

pub fn session_id(&self) -> pid_t

Process session id the process belongs to.

pub fn codesigning_flags(&self) -> u32

Code signing flags of the process.

pub fn is_platform_binary(&self) -> bool

Indicates whether the process is a platform binary.

Note: A “platform binary” is a binary signed with Apple certificates.

Usage of is_platform_binary with Messages and EventExecs

If your application is looking to allow/deny AuthExec events, be sure to check EventExec::target(), not Message::process(), else you will get the wrong result, especially since pretty much all processes are lauched through xpcproxy, a platform binary.

pub fn is_es_client(&self) -> bool

Indicates this process has the Endpoint Security entitlement.

pub fn cdhash(&self) -> [u8; 20]

Code directory hash of the code signature associated with this process.

pub fn signing_id(&self) -> &'a OsStr

Signing id of the code signature associated with this process.

pub fn team_id(&self) -> &'a OsStr

Team id of the code signature associated with this process.

pub fn executable(&self) -> File<'a>

Executable file that is executing in this process.

pub fn tty(&self) -> Option<File<'a>>

Available on crate feature macos_10_15_1 only.

TTY associated to this process (if present) on version 2 and later, otherwise None.

pub fn start_time(&self) -> Option<SystemTime>

Available on crate feature macos_10_15_4 only.

Process start time on version 3 and later, otherwise None.

pub fn responsible_audit_token(&self) -> Option<AuditToken>

Available on crate feature macos_11_0_0 only.

Audit token of the process responsible for this process on version 4 and later, if any.

Warning: It may be the process itself in case there is no responsible process or the responsible process has already exited.

pub fn parent_audit_token(&self) -> Option<AuditToken>

Available on crate feature macos_11_0_0 only.

Audit token of the parent process on version 4 and later, otherwise None.

Trait Implementations

impl<'a> Debug for Process<'a>

fn fmt(&self, f: &mut Formatter<'_>) -> Result

Formats the value using the given formatter.

impl<'a> Hash for Process<'a>

fn hash<H: Hasher>(&self, state: &mut H)

Feeds this value into the given Hasher.

fn hash_slice<H>(data: &[Self], state: &mut H)

where H: Hasher, Self: Sized,

Feeds a slice of this type into the given Hasher.

impl<'a> PartialEq for Process<'a>

fn eq(&self, other: &Self) -> bool

Tests for self and other values to be equal, and is used by ==.

const fn ne(&self, other: &Rhs) -> bool

Tests for !=. The default implementation is almost always sufficient, and should not be overridden without very good reason.

impl<'a> Eq for Process<'a>

impl Send for Process<'_>