Thanks for the comments regarding Deleting a file in KEXT. Anatol Pomozov : I looked at the VNOP_REMOVE. It appears that this function is not part of kernel framework. I could only see some comments regarding VNOP_REMOVE in vnode_if.h, but not function declaration anywhere. It would be great if someone could provide pointer on this so that I can explore some options. Thanks in advance. Regards, Rupesh -----Original Message----- From: darwin-kernel-bounces+rupesh_khetawat=symantec.com@lists.apple.com [mailto:darwin-kernel-bounces+rupesh_khetawat=symantec.com@lists.apple.com] On Behalf Of darwin-kernel-request@lists.apple.com Sent: 12 April 2012 AM 12:30 To: darwin-kernel@lists.apple.com Subject: Darwin-kernel Digest, Vol 9, Issue 32 Send Darwin-kernel mailing list submissions to darwin-kernel@lists.apple.com To subscribe or unsubscribe via the World Wide Web, visit https://lists.apple.com/mailman/listinfo/darwin-kernel or, via email, send a message with subject or body 'help' to darwin-kernel-request@lists.apple.com You can reach the person managing the list at darwin-kernel-owner@lists.apple.com When replying, please edit your Subject line so it is more specific than "Re: Contents of Darwin-kernel digest..." Today's Topics: 1. Re: Deleting a file in KEXT (Anatol Pomozov) 2. monitoring syscalls (me) ---------------------------------------------------------------------- Message: 1 Date: Tue, 10 Apr 2012 13:49:47 -0700 From: Anatol Pomozov <anatol.pomozov@gmail.com> To: Rupesh Khetawat <Rupesh_Khetawat@symantec.com> Cc: "darwin-kernel@lists.apple.com" <darwin-kernel@lists.apple.com> Subject: Re: Deleting a file in KEXT Message-ID: <CAOMFOmUDA3zKTSwq28XxrKy250RgaTxKLuWTUwPo84iX3c68Cw@mail.gmail.com> Content-Type: text/plain; charset=UTF-8 Hi On Mon, Apr 9, 2012 at 6:38 AM, Rupesh Khetawat <Rupesh_Khetawat@symantec.com> wrote:

Is there anyway a file can be deleted in KEXT?

I have written KEXT where file scope listener is registered with kauth. I am trying to delete certain files when the action is close with modified flag. I looked at the documentation, but did not find anything deleting file in kernel mode.

Can someone throw some light on this?

In kernel you do not have access to POSIX functions such as unlink(). I believe the only way to achieve the goal is to use VNOP operations directly. In your case this will be VNOP_REMOVE. Here is an example from XNU that removes a file https://github.com/anatol/xnu/blob/master/bsd/vfs/vfs_xattr.c#L529 ------------------------------ Message: 2 Date: Tue, 10 Apr 2012 14:06:21 -0700 From: me <kernelkangaroo@gmail.com> To: darwin-kernel@lists.apple.com Subject: monitoring syscalls Message-ID: <B1B549EF-2137-47B3-ACA5-F0A9D1988F5D@gmail.com> Content-Type: text/plain; charset=us-ascii Can anyone point me to documentation for observing syscalls from the kernel? I am currently using a KAUTH VNODE listener scope to look for file opens, but I would like to be able to know which files are being read from as they are read. I could use dtrace, but I would prefer to use system calls as opposed to another process. thanks, Trip ------------------------------ _______________________________________________ Darwin-kernel mailing list Darwin-kernel@lists.apple.com https://lists.apple.com/mailman/listinfo/darwin-kernel End of Darwin-kernel Digest, Vol 9, Issue 32 ******************************************** _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.... This email sent to site_archiver@lists.apple.com