site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=puEdXtn716PBgsY3dPJnTDyDUKphsLgmBGGXFzRSFwE=; b=jAG616hMYnC/agMms8bEkETqRrXaDHe1vR6/MEeoE4QcL2mYP26KlkbUDAxqBYO14I TUCd9UDo3Z0H0ssdNttn3ajDm/N6GKt1l/EN/4qsrfIRtD2utVwkQ4gUxB2hq5d78YvZ XgkVXSHiKTmX/PNkMVQO12Ex7B6rNqd/UMbvI= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=NvJt0uJBUIwKAAEiUv73YwcS6seMOvA+oW1hgxjR9niHao1YMqEL3PK7vgt6PpsiPT xixioW5pTOV3F3iszO6h91BKs3Kb8Risjv9/nZZybgQU5bjItWGJz8TxrhaAFFSG3ypu GXjBePtvKFmwTKiY9IPXR/numfgtBb7XWX+VI= take a look unto launchd On Fri, Oct 10, 2008 at 2:24 PM, Todd Heberlein <todd_heberlein@mac.com> wrote:

Apple recently updated its BSM audit trail for Leopard (i.e., made it work), but there is one thing that I find strange that maybe someone can help me with: When launching an application from the dock (or finder), there is no exec() system call. Does Apple launch its application by some other means?

For example, clicking on Safari on the dock (and with all audit records turned on), there is no exec() or equivalent system call in the audit trail. However, the binary file is read() in. For example, there is a

stat() /Applications/Safari.app/Contents/MacOS/Safari open() /Applications/Safari.app/Contents/MacOS/Safari close() /Applications/Safari.app/Contents/MacOS/Safari

but no exec() type operation on the file.

Is this because, despite the "all" flag set for audit, the appropriate exec() actually is *not* audited? Can the open() for reading somehow be doing the exec()?

If I launch the application in a shell by typing in the full path above in the , I do see an exec system call. Anyone know what the story is? Should I file a bug report with Apple?

Thanks,

Todd

_______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/openspecies%40gmail.com

This email sent to openspecies@gmail.com

-- -mmw _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com