posix_spawn() and the KAUTH_FILEOP_EXEC action (in KAUTHs' 'FILEOP' scope)
posix_spawn() and the KAUTH_FILEOP_EXEC action (in KAUTHs' 'FILEOP' scope)
- Subject: posix_spawn() and the KAUTH_FILEOP_EXEC action (in KAUTHs' 'FILEOP' scope)
- From: Luigi Vampa <email@hidden>
- Date: Tue, 19 Jul 2016 10:29:32 +0300
(Reposting, with slight rephrasing, my post on an different forum...)
So it turns out the famous EXEC handler in KAUTH_SCOPE_FILEOP behaves very differently when called from execve() as opposed to being called from posix_spawn()...
When the KAUTH callback is called from standard 'execve' (the intuitive) case, it is called from the child's process context.
But when the callback is triggered via 'posix_spawn()', is called from the *parent* process context...
So the PID I get in the callback in the latter case is of the parent.
This means that if I want to do some proc/mem analysis from within this callback, I cannot do it if a process was created via posix_spawn().
In addition, there appears to be no handler (MAC, KAUTH or otherwise) which can be used to intercept a child process in such a way that I have time to do some analysis thereof...
This is a very surprising and (seemingly) inconsistent behavior of the callback. I wonder if this is by design...
Any ideas? At the very least, any ideas how to get the PID of the child process from the KAUTH callback after being called from posix_spawn()?
Tx.
Luigi
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden