• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: Process exit notifcation in a kext
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Process exit notifcation in a kext

  • Subject: Re: Process exit notifcation in a kext
  • From: Terry Lambert <email@hidden>
  • Date: Wed, 16 Jun 2010 14:55:53 -0700
On Jun 16, 2010, at 2:22 AM, Bogdan Harjoc wrote:
I'm writing a kext that monitors processes based on their network
traffic. One of
the events I have to monitor is "process has exited". Kqueue offers a
nice uniform
way of doing this, but I don't see how it can be called from kernel code.

My question is if kqueue can deliver events to a kext, or at least if
one can start
a kernel thread just for the purpose of waiting for events by calling kevent().

Generally speaking, the kernel, including any KEXTs you write, exists to provide services for processes. Processes do not exist to provide notifications or events to the kernel.

There are a small number of exceptions to this; in almost every case, they involve a risk of deadlock and/or blocking the kernel waiting for the process which is waiting for the kernel, which is blocked by the process. For this reason, the code paths are limited, and the processes involved in servicing the request generally run as root in order to be immune to triggering operations to themselves. The general utility in these cases is authorization requests for things like Antivirus software or directory services providing group membership information and/or translation between uid/gid values and UUIDs to store or retrieve values stores in the filesec_t structure used to implement ACLs in the extended attributes in the HFS+ file system.

The more correct model you should probably be looking at here is to report the activity up to a user space monitoring process, and have user space aggregate that activity with the process lifecycle events for the processes you are monitoring -- in other words, do your work in user space, and only do data gathering in kernel space.

-- Terry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden




  • Follow-Ups:

      

    • Re: Process exit notifcation in a kext

      • From: Bogdan Harjoc <email@hidden>
      • 





References: 


 >Process exit notifcation in a kext (From: Bogdan Harjoc <email@hidden>)






    

  • Prev by Date:
Re: kextload failure on 10.5

    • 

  • Next by Date:
Re: kextload failure on 10.5

    • 

  • Previous by thread:
Re: Process exit notifcation in a kext

    • 

  • Next by thread:
Re: Process exit notifcation in a kext

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •