October 2018 - Darwin-kernel

Re: clonefile and kauth
by Craig Davison 24 Oct '18

24 Oct '18

site_archiver(a)lists.apple.com Delivered-To: Darwin-kernel(a)lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cvcEcXMKPd+urUXBTlGYtM7ad1RccCGKGwPuZajOQxY=; b=veWEHs8sKuXHOKwxdJ0EAmKOl3BTBk9LPwRW4PY0glJepA0iAsR/3ULsPyTl/iMJx3 D1wdvTDvzD9G1hWy++/QMw43RK+pi8PqZTRUEtmGmXJaT4Yjz8DRZeg7014CXVgdOtPq JWe3uDSE8iqgRSiXZbo/q6XJhAEiAATDkO8kTbiBn40d1a0gYQ/O0gmwY4Tbd80ec2Ks mPpP7/Ij/o/zfS3rFWfd6YVaM2vhiO9fj45WXFIEyvNAwgeVWHSivkSbkfqIOjQn+f8b Z24q7x7BcRB/bW1cI/PxZV5UvrgbYOKKK+lZcs54xIIbUBCZia+YETrPSzWMhTBG+HBV nbrA== Thank you, Slava. That is very helpful -- Craig Davison On Wed, Oct 24, 2018 at 2:05 AM Slava Imameev <slava.imameev(a)gmail.com> wrote: > > Hi, > > Instead of a KAUTH_SCOPE_FILEOP callback you need a KAUTH_SCOPE_VNODE > callback. > Registered KAUTH_SCOPE_VNODE callbacks are called with KAUTH_VNODE_ADD_FILE > and KAUTH_VNODE_ADD_SUBDIRECTORY from the clonefile system call. > Though it is not possible to distinguish clonefile inside KAUTH callback from > operations with the same KAUTH_VNODE_* operations. > You either need to backtrace a callstack from KAUTH callback or use an > undocumented option of registering MAC vnode_check_clone callback. > > Regards, > Slava Imameev > > On Wed, Oct 24, 2018 at 10:40 AM Craig Davison <craig65535(a)gmail.com> wrote: >> >> Hello, >> >> Is there a way to monitor clonefile operations with the kauth kpi? I >> don't see any relevant KAUTH_FILEOP_* in sys/kauth.h. >> >> Thank you, >> -- >> Craig Davison >> _______________________________________________ >> Do not post admin requests to the list. They will be ignored. >> Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com) >> Help/Unsubscribe/Update your Subscription: >> https://lists.apple.com/mailman/options/darwin-kernel/slava.imameev%40gmail… >> >> This email sent to slava.imameev(a)gmail.com _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists… This email sent to site_archiver(a)lists.apple.com

1 0

Re: clonefile and kauth
by Slava Imameev 24 Oct '18

24 Oct '18

site_archiver(a)lists.apple.com Delivered-To: Darwin-kernel(a)lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=FDbYAaMP4L3qAesQY8gubw691+yUsim6oBmR8bKOFa8=; b=PCKS3+ldlTmFBfBpMb/rU3TdRjwt37+ubv0uEaYPAEp0DAywy6WHunxNcXETiEu37S poAJkWJ5nnjhR2X6iTEIbjfIODKpXBW9cPONoYuEaGaLxYjBTiyj/rz/UCHD6WKH6YeX HDTS/nVWyJ27jHxj595dB3RVv1W4leIDtG0v7u9m9KOvI61IYtAMeZfKAORivpS6g8Lv t9i5lvRlKANrE+GmZuFiTVDHEr0BDD0vqjNtMYjety+m+G14Ceqq3Gm3qyUh91ZCGXjd vE/4fJQ/3Dj5rqz+lLX8Lxem13AJ21I6k7wO5l51xll3o3OrGzBMbIo8B68xiN7JrI5W EoOw== Hi, Instead of a KAUTH_SCOPE_FILEOP callback you need a KAUTH_SCOPE_VNODE callback. Registered KAUTH_SCOPE_VNODE callbacks are called with KAUTH_VNODE_ADD_FILE and KAUTH_VNODE_ADD_SUBDIRECTORY from the clonefile system call. Though it is not possible to distinguish clonefile inside KAUTH callback from operations with the same KAUTH_VNODE_* operations. You either need to backtrace a callstack from KAUTH callback or use an undocumented option of registering MAC vnode_check_clone callback. Regards, Slava Imameev On Wed, Oct 24, 2018 at 10:40 AM Craig Davison <craig65535(a)gmail.com> wrote: > Hello, > > Is there a way to monitor clonefile operations with the kauth kpi? I > don't see any relevant KAUTH_FILEOP_* in sys/kauth.h. > > Thank you, > -- > Craig Davison > _______________________________________________ > Do not post admin requests to the list. They will be ignored. > Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com) > Help/Unsubscribe/Update your Subscription: > > https://lists.apple.com/mailman/options/darwin-kernel/slava.imameev%40gmail… > > This email sent to slava.imameev(a)gmail.com > _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists… This email sent to site_archiver(a)lists.apple.com

1 0

clonefile and kauth
by Craig Davison 23 Oct '18

23 Oct '18

site_archiver(a)lists.apple.com Delivered-To: Darwin-kernel(a)lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:from:date:message-id:subject:to; bh=DlHH5jvVqUPFzaAS727AlEQ4NU7uu/GrTiDLzTVcVBg=; b=Ms1LrbZ3KIg534N+4aq/3k4P2qr7HjUw5/WC32lSfkgdNbRRMZYTtKK1+NF3/hOEdR P3hWLr3CtP4olFzZ5wRlbR+ZYMgISqsNmhsZ5KqWxtFw0SniY3ZqIj9RVRSA471+mixg PED6XnDcSWYdZ/oBdLYscZYC2bq99JJgvLvARsBJ+LooqiiqC6vt1m475lI5uiX+lqrs 11719LwMsWaR+4ALpyde6VfrdzBy6l7/XsPLPW5wY66lvCDpIwfg0h/8i3EXSb18jdPY qwmBen8LP33yRgBEAkUABxNuQruX4qN6o8LQsdQrKrckrVRlKe0uT0fsjeMuMj0Eu7Z5 r1kg== Hello, Is there a way to monitor clonefile operations with the kauth kpi? I don't see any relevant KAUTH_FILEOP_* in sys/kauth.h. Thank you, -- Craig Davison _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel(a)lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists… This email sent to site_archiver(a)lists.apple.com

1 0