site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Hello, in my current project I'm using Kauth for a security application. Part of the application deals with file operation checking and therefore uses KAUTH_SCOPE_VNODE. It is required for the application to exactly know when a specific process open/closed a file. For example, the file `foo.bar' may be accessed by many processes each holding more than one file descriptor associated with the given file. It is therefore not enough to know the time a file was opened/closed as it may relate to different processes and/or file descriptors within the process. The only valid idea I could think of to distinguish between various instances of opened files is to relate each open session with the process ID and process FD associated with the file. As to my knowledge, this is impossible within the VNODE scope, and I'm afraid there is no legal way to do it either (am I right?). I'd be really thankful is someone could tell me if there is a way to achieve what I've specified, or alternatively anoher way to get the same result (either in kernel or user mode). -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On Jul 22, 2008, at 5:59 AM, Jernej Azarija wrote: You are correct. You will only get the KAUTH_FILEOP_CLOSE notification for the last close instance on a file, in which the fileglob is destroyed and the vnode_put() happens, releasing the vnode in question so that it can be reclaimed and reused by the system. In general, fileglobs are typically shared between open instances resuliting for dup, dup2, passing an fd to another process via UNIX domain socket, or inherited from the parent process by a child process. Only when the last close happens does the last reference go away so you get the notification. You will get to know when the last reference goes away, but nothing about any of the other references floating around, since in theory you secured your software which is passing them around, so it's not a problem, and if it becomes a problem, you will make sure that you don't pass it over an authorization scope boundary. As Mike said, your only other option besides hacking and building your own kernel (not recommended) is library interposition in user space. The notifications by the kernel are intended to provide a KAUTH listener with the credential associated with the fileglob at the time of the initial open -- which might not be the credential of the calling process, either because the process changed privilege level, or because the descriptor was handed to you by someone else. In addition, you get the KAUTH_FILEOP_CLOSE notification, the f_data field from the struct fileproc (which is a vnode or a socket or some other data, depending on the type of the descriptor), and the fileop_flags - indicating whether or not the file has been modified while it was open. Basically, descriptors carry their rights from when they were created around with them. If you are a process with rights to a file and/or socket, you can create an open descriptor to it and hand it off to your children or to another process, or you can drop the privilege that allowed you to open the thing in the first place, without your rights to it getting revoked. This is an intentional part of how the UNIX privilege separation model works (though most people don't take advantage of it). This email sent to site_archiver@lists.apple.com