site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=VrN8LEy5ZIZ+u/4AYiQ8XBilCmrgZaeObj4q/w0AmbQ=; b=EJehuaztwB2fWD1u65XEx7BkwsQxKhn5IYij4g3bvdSBPGNVrBQjMKiOlkPo5m5NLF ot5OCi1KIjodvVFqeTKyuzO7cbQtz3LI68AXRszNhaNPw2KqnNkSnAqIPfD9ckGRsj6y 0Itmj6uqjey0YRqq5xvLj1i+Fnf7SRDc/++K4= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=fBsbuLca0TUozDGlLU8OHgtTgaEFvjYIXXFm97prsJzXH+ivJ5QloO019VybyvwRRP u+9gspQt2qeWTp8JHgXi/ani0UqWKH2MJwMIi81oFM7BFmdiQJPAnZvWOEu4Mjv6pzVn B1BWVzABii4qSJVc+0FgYsX4LgkBzhjHJCZLg= Also, could you please tell a little more about MACF? On Oct 12, 2009, at 10:40 PM, Terry Lambert wrote: Yes. -- Terry Thank you for the hint, Terry. But isnt' it a polling-like behavior? On Oct 12, 2009, at 1:57 AM, Terry Lambert wrote: There's popen of ps, which is much preferred to sysctl. -- Terry On Oct 11, 2009, at 1:01 PM, Dave Keck <dave@docdave.com> wrote: kevents are perfectly capable of monitoring another, unrelated process. It's become quite a hobby of mine, actually. :) -- Sincerely, Rustam Muginov _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... Thank you for your advice, Terry. I had studied Kauth approach at the times of 10.4. I had got an impression that the only intercept possible is file access at vnode scope, and it only intercepts file open/read but not execute. Am i wrong in this assumption, and kauth does allow to intercept process execution? The best answer is "don't need to do that in the first place". Other than a KEXT hooking kauth or MACF, you are not going to successfully interpose yourself in the creation of a new process. Even then, what you can do is intentionally limited. On Oct 12, 2009, at 10:50 AM, Rustam Muginov <rmuginov@gmail.com> wrote: Other than that, we're not going to alert you on new process creation other than by return code if you are the creator, and at some point we might even take steps to make it hard for you to do so, like randomizing pids. You cannot watch for all processes, only processes you created. After you fork, you can add a kqueue to watch for the new process' death, in lieu of waitpid() or a SIGCHLD signal. You cannot however sit there, watching for any random process' death. Mac OS X has no such mechanism, AFAIK. As far as getting the the new child's PID, I don't think it's possible using the kevent APIs from userland. (sys/event.h mentions "lower bits contain the PID of the child", but I think this is kernel-only.) Of course you could always iterate over the process list checking each process' parent PID... there's probably a better way, though. This email sent to site_archiver@lists.apple.com