site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Dkim-signature: a=rsa-sha1; c=relaxed/relaxed; d=gmail.com; s=beta; h=domainkey-signature:received:received:from:to:cc:references:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:in-reply-to:x-mimeole; b=TpwvYhjCupdOq1cyHIL2ISTb6tnMBBMlF5iX3GrWqRevz05pfzxZv34UnH+Y03RIFZqS8m9PccO5ciKfSS468XXk0EQVWJpCfntAohHUOOC3Na7HM9B642xBPsgXs/5G7EbvwOBL6cyMDDY5R5Cy5BPA5v4oAx1ng5flTmZHobY= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=beta; h=received:from:to:cc:references:subject:date:message-id:mime-version:content-type:content-transfer-encoding:x-mailer:thread-index:in-reply-to:x-mimeole; b=JGQeuynqcqzXjepuqDOnLluRs6f4KNxSa9+tS1xaWlq6wXUjRu/mKQ5sddmXyfiMd0GP4UPH1Whdm/eE2UGaHNENQWXI9V1zEO0xSkgIIEkMiZ2/2G5e9qR0+nCmtaIc2WB4ag7odCOtJPh8sZ2+PE08ajyiOdjLf+kS2y/xxYA= Thread-index: AcfV+Z674J0rc+qJTKKfpjncFqL+0QAmkzZQ On Aug 3, 2007, at 10:07 AM, Vishal Shetye wrote:

after going through several links like kauth (http://developer.apple.com/technotes/tn2005/tn2127.html ), KauthORama source, mac osx internals by amit singh, http://developer.apple.com/documentation/Darwin/Conceptual/KernelProgramming

and many mailing list discussions I find myself really confused.

My simple question is, with currently supported kpis is virus-scan application really feasible? It requires hooking of system calls, use kauth vnode scope, so far so good. But opening file for virus scan (low level open), denying access, such functions deal with file system structures.

No, they don't. They deal with you: (1) Exempting your virus scan daemon from such checks when it makes requests, by having it register its process with your KEXT (2) Your KEXT hooking the kauth hooks you are interested in, sending a message to user space, doing your work there (including calling back into the kernel and getting a "free pass""on scanining before the scanner is allowed to open the file) (3) You sending the result back to the KEXT as to whether the action should be allowed or denied (4) Your KEXT allowing/denying the kauth operation that started this chain of events. -- Terry This is something nobody should miss before designing. Actually I intend to hook open system call and scope suitable for me is VNODE. Although KAUTH_VNODE_READ_DATA suffice the purpose, how would I differentiate between open and read. And what about close()? What notification should I receive? _______________________________ - vishal shetye _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com