Add process-based exclusion using executable path extraction from audit tokens

[Copilot]

ProxyBridge on macOS previously only supported exclusions by bundle identifier, which doesn't work for standalone binaries (e.g., DPI bypass tools like ciadpi). This prevented users from excluding local proxy processes, causing proxy loops.

Changes

• Process identification: Extract executable path from NEFlowMetaData.sourceAppAuditToken using audit_token_to_pid() + proc_pidpath() from Darwin/libproc
• Dual matching strategy: Try matching rules against executable path first, fall back to bundle ID for backward compatibility
• Flow handlers: Modified handleTCPFlow() and handleUDPFlow() to extract both identifiers and use executable path for logging when available

Usage

Rules now support executable paths and process names in addition to bundle identifiers:

# Exclude by process name
Package Name: ciadpi
Action: DIRECT

# Exclude by full path
Package Name: /usr/local/bin/ciadpi
Action: DIRECT

# Traditional bundle ID (unchanged)
Package Name: com.google.Chrome
Action: PROXY

Implementation Notes

• Gracefully handles proc_pidpath() failures (permissions, race conditions) by falling back to bundle ID matching
• Audit token approach is more secure than direct PID usage (mitigates PID reuse attacks)
• Pattern matching already supported wildcards (ciadpi*, *proxy, etc.) - no changes needed

Original prompt

---

This section details on the original issue you should resolve

<issue_title>[Feature]: Process-based exclude support (not bundle identifier)</issue_title>
<issue_description>### Platform

macOS

ProxyBridge Version

3.1.0

OS and Version

MacOS Ventura

Documentation

• I have read the Windows documentation
• I have read the macOS documentation
• I have read the Linux documentation

Code Review

• I have gone through the code page

Describe the Feature

Hi,
I’m using ProxyBridge to route all system traffic through a SOCKS5 proxy.
The SOCKS5 proxy itself is provided by a DPI bypass tool called ciadpi.
ciadpi runs as a standalone binary (no app bundle) and creates a local SOCKS5 proxy.
To avoid a proxy loop, I need to exclude the ciadpi process itself from ProxyBridge.
Currently, exclusions seem to work only via app bundle identifiers, but this doesn’t help for standalone processes.
Is there a way to exclude traffic based on process name or PID?
If not, would you consider adding process-based exclusion to prevent this kind of loop scenario?
Thanks.

Additional Context

No response</issue_description>

<agent_instructions>NEAppProxyTCPFlow and NEAppProxyUDPFlow are used by the macOS application to get pacekt and neflowmetadata method used to get details from the packet and method sourceAppSigningIdentifier is used from neflowmetadata to get pacakge name of the packet. There is no direct API that network extension can use to get the process name; onlythe package name is possible. </agent_instructions>

Comments on the Issue (you are @copilot in this section)

@Anof-cyber This is a restriction from Apple, not from the ProxyBridge application. The network extension cannot access PID or process name details. There are some workarounds that can be implemented, but they are not fully reliable and don't work all the time, so those methods are not added in Proxybridge.

As of now, there is no way to add a proxy rule with a process name on macos. I will try to figure out a few options, if anything can be implemented. I am not sure what the potential fix for this is, as the official Apple API doesn't allow this.

• Fixes [Feature]: Process-based exclude support (not bundle identifier) #68

---

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud