Lists

Terms and Conditions
Lists hosted on this site
Email the Postmaster
Tips for posting to public mailing lists

Re: kqueue EVFILT_PROC and child process pid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: kqueue EVFILT_PROC and child process pid

Subject: Re: kqueue EVFILT_PROC and child process pid
From: Rustam Muginov <email@hidden>
Date: Tue, 13 Oct 2009 20:39:40 +0400

Thank you for your advice, Terry. I had studied Kauth approach at the times of 10.4. I had got an impression that the only intercept possible is file access at vnode scope, and it only intercepts file open/read but not execute. Am i wrong in this assumption, and kauth does allow to intercept process execution?

Also, could you please tell a little more about MACF?

On Oct 12, 2009, at 10:40 PM, Terry Lambert wrote:

Yes.
The best answer is "don't need to do that in the first place". Other than a KEXT hooking kauth or MACF, you are not going to successfully interpose yourself in the creation of a new process. Even then, what you can do is intentionally limited.
-- Terry
On Oct 12, 2009, at 10:50 AM, Rustam Muginov <email@hidden> wrote:
Thank you for the hint, Terry.
But isnt' it a polling-like behavior?
On Oct 12, 2009, at 1:57 AM, Terry Lambert wrote:
There's popen of ps, which is much preferred to sysctl.
Other than that, we're not going to alert you on new process creation other than by return code if you are the creator, and at some point we might even take steps to make it hard for you to do so, like randomizing pids.
-- Terry
On Oct 11, 2009, at 1:01 PM, Dave Keck <email@hidden> wrote:
You cannot watch for all processes, only processes you created. After you fork, you can add a kqueue to watch for the new process' death, in lieu of waitpid() or a SIGCHLD signal. You cannot however sit there, watching for any random process' death. Mac OS X has no such mechanism, AFAIK.
kevents are perfectly capable of monitoring another, unrelated
process. It's become quite a hobby of mine, actually. :)
As far as getting the the new child's PID, I don't think it's possible using the kevent APIs from userland. (sys/event.h mentions "lower bits contain the PID of the child", but I think this is kernel-only.)

Of course you could always iterate over the process list checking each process' parent PID... there's probably a better way, though.


--
	Sincerely, Rustam Muginov

_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden


Follow-Ups:

Re: kqueue EVFILT_PROC and child process pid
From: Terry Lambert <email@hidden>


References:  
  >Re: kqueue EVFILT_PROC and child process pid (From: Ryan McGann <email@hidden>)
  >Re: kqueue EVFILT_PROC and child process pid (From: Dave Keck <email@hidden>)
  >Re: kqueue EVFILT_PROC and child process pid (From: Terry Lambert <email@hidden>)
  >Re: kqueue EVFILT_PROC and child process pid (From: Rustam Muginov <email@hidden>)
  >Re: kqueue EVFILT_PROC and child process pid (From: Terry Lambert <email@hidden>)




Prev by Date:
Re: How to manually register a symbol address in dyld?

Next by Date:
Re: kqueue EVFILT_PROC and child process pid

Previous by thread:
Re: kqueue EVFILT_PROC and child process pid

Next by thread:
Re: kqueue EVFILT_PROC and child process pid

Index(es):

Date
Thread