Deena,
There are a number of pitfalls here that you need to be aware of.
In particular, monitoring vnodes for read/write operations will not be effective, as there are (common) paths which can be used to place data into an open file that bypass these operations and which cannot be intercepted.
The KAUTH interfaces are an attempt to facilitate the sort of software you are building. There may be other alternatives worth considering. Avoid thinking that you should be trapping system call entrypoints; your software will not be reliable.
In general, you can only scan usefully at the following points:
- open (KAUTH_FILEOP_OPEN)
- last close (strictly, drop of last reference which is not handled by KAUTH) (KAUTH_FILEOP_CLOSE & KAUTH_FILEOP_CLOSE_MODIFIED)
If a file is open and writable, you must assume its contents are indeterminate. Note that any file may be opened for writing by root as long as the filesystem containing it is writable.
In general, for your product to be effective you must monitor files as they transition from a content-indeterminate state to a content-determinate state so that they can be checked, and you must prevent software that may be vulnerable (e.g. kernel execution of applications) from accessing files in a content-indeterminate or yet-unchecked state.
= Mike
On Aug 17, 2010, at 10:48 PM, Deena Awate wrote:
I am working on an antivirus project for MAC. We have taken vnode level file system activity monitor code from MAC OS X internals book as our guide. What we are trying to achieve is monitoring on the vnode scope. When a file operation takes place at the vnode level the kernel will pass on the filename to usermode application for scanning. Meanwhile the kernel needs to wait for the scanning to complete and look at the return value. The user mode app will wake up the kernel once scanning is done and pass the scan result down to the kernel. Based on the scan result the kernel then either allows or denies the request. So basically we want to achieve synchronous communication between the kernel extension and the user mode application. We are newbies on MAC. We read documentation but is confusing as to how we can create event in user mode and pass it down to kernel on which the kernel will wait. If you could point us to a sample piece of code or
clear documentation on how we can achieve our objective it will be great. Which are the synchronisation objects to be used in user mode and which ones to use in user mode. Is this the right design ? I have gone through posts on the forum but did not get how to achieve our objective.
Thanks,
--
The lyf so short, the craft so long to lerne -- Chaucer
|
--
True terror is to wake up one morning and discover that your high school class is running the country. -- Kurt Vonnegut