site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com FYI Rustam: http://www.trustedbsd.org/mac.html (TrustedBSD website) and various white papers: http://www.trustedbsd.org/trustedbsd-usenix2003freenix.pdf http://www.trustedbsd.org/trustedbsd-discex3.pdf -stacey. On Oct 13, 2009, at 12:11 PM, Terry Lambert wrote: -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... For more information about MACF (Mandatory Access Control Framework) see the following: http://www.freebsd.org/doc/en/books/handbook/mac.html (FreeBSD's MAC document. The FreeBSD and Mac OS X implementations are very similar.) MACF is not KPI at present. You can use it if you are willing to link against the entire kernel and suffer changes on point releases until it's baked. The kauth exec stuff allows notification but not interception, though you could cheat at lookup, which has to be done to exec. On Oct 13, 2009, at 9:39 AM, Rustam Muginov <rmuginov@gmail.com> wrote: Thank you for your advice, Terry. I had studied Kauth approach at the times of 10.4. I had got an impression that the only intercept possible is file access at vnode scope, and it only intercepts file open/read but not execute. Am i wrong in this assumption, and kauth does allow to intercept process execution? Also, could you please tell a little more about MACF? This email sent to site_archiver@lists.apple.com