site_archiver@lists.apple.com Delivered-To: darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=Cyd8Uf1QHcvlwBE/0Nr5/laDjmvrF0MyGAeY+MtWSXU=; b=UfFo0jM54I6SsaMVhezmAYy3I35ctKAE2UpZnBoCSr3PvT3nSU/QJ7Z7qgFtFfn3+6 1FuGk+skCHJFC6mbVSj9v8E6uIhvrRm+DlwXQ6EFrlJFhS4lZ3Q7yJUGi2LK9Xs2rvqx HYfwS45BRV0TGiCWIvqvyBCNKjzN4Yb6Z9kzs= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=mPrQFBZo3Y7fy/tv8A2b5/Qy9jeOqMna1fq092cPdaoRysyLwoe7AAc2vvI13ccZU7 P7Nd7XjQGbb9yEPDI6I5E4SkJX/hgf7PSM2ksTuWobKf/T7wk6nPe77jEp13Go3A/OXo vyN4RdPe4UJrkQ0btMSZERU1qdLji8Oujyc00= On Fri, Feb 19, 2010 at 2:52 PM, Terry Lambert <tlambert@apple.com> wrote:

On Feb 19, 2010, at 9:45 AM, Derrick Brashear wrote:

...

I want to track forked children of a given pid. For the purpose of this discussion, I am userspace code (I could be kernelspace code if it helped)

[ ... ]

...

If I can really not have this, Launchd seems to use a sysctl to enumerate children on a fork:        int mib[] = { CTL_KERN, KERN_PROC, KERN_PROC_ALL, j->p };

(KERN_PROC_PPID seems to not be implemented in xnu-1456.1.26)

Am I really reduced to this? It seems very likely to be racy.

It is.  It is also SPI (System Private Interface), subject to change on every software update (SPI can be thought of as a contract between system components which all agree to be updated in lock-step with each other when updates happen).  Please do not use this sysctl.

Ok.

A better way is to use ptrace (for some definition of "better"; it's still not a good idea to need to know this, and ptrace has its own issues).  This is what gdb and other debuggers do.  If you are denied the rights to do this via ptrace, it's probably because you aren't supposed to be doing it.  If so, then you should expect that the sysctl-based enumeration will probably also deny you that right at some point in the future, so even if you can hack it so that it works now, it will probably break at some later date.

That's also not really "better". Alas, what I really want to do is track processes in some way such that marking a process causes that mark to be inherited by children, and allow the kernel to read the mark, and a process can cause itself to get a new mark which will be inherited to *its* future children, and it seems that's simply not possible: -The MAC subsystem isn't supported (http://developer.apple.com/mac/library/qa/qa2007/qa1574.html) -login contexts and audit sessions are one-per-process and owned by system software -I'm insufficiently special to use a mach special port (there are 7) -The kauth external cred resolver interface allows but a single resolver and I'm not memberd. -- Derrick _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... This email sent to site_archiver@lists.apple.com