site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=mQMBk/KMDfh7AHbYwy/YiwDjm0MCgIT5oylScLUyzPg=; b=krcWF17a9pnKAcuMpywNIBSnBEpKuomqNr+I69ao3sDmht1MsUH4hnJMV6QJL2Rk0u B9Vy0dxWpiEt89nmxSnh0WnQzLG40LqD0fEWcC2fj3CPHuzp6wuOZ4RfFXMAk4/oTPmv T04kBMkt0C3tNhavoYG0O9X2HdJ5UU/Nh8y1w= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=nOSVGa5KmD+0W4bZ8DYGARFmbP17Sl4qUgYRj7uwz9lXY26YZ2g4fShwPGkPluJ8q1 9s8OS2Yqk4vEh6L4Q+G5uzwFUKZibPePYkNAE5W3wPk2wfVE7RGWeUgLQUhDWdPufsEo NJ6gnAh4zCVs6a+mcXtQGwMfrXV0Vhttbi72Q= On Sun, Dec 14, 2008 at 8:33 PM, Terry Lambert <tlambert@apple.com> wrote:

You file a bug report with DTS.

OK, thanks.

This is something we intentionally do not permit. A lot of antivirus vendors were doing this and it broke our locking model. So we provided KPI to let them intercept operations (that is called "kauth" and you can find documentation on <http://developer.apple.com>). If we change locking in the future, we won't break them again.

Problem with kauth is that AFAIK it only let's you return 'deny' or 'pass' results. If, say, you want to return a ENOENT or special errno to the syscall, it's not possible through kauth.

...

Most of the API used in unix_syscall isn't available in any KPI.

Yes. On purpose. I personally made the syscall table a private symbol.

The problem is that it's a hassle for legitimate developers. People trying to subvert the kernel might simply go and patch the IDT or do something far more complex. Plus a memory search will yield sysent's location easily.

...

That leaves us with either patching its code on runtime (a hack, which apparently isn't possible because that region isn't writable; I'm not sure why kernel TEXT wouldn't be writable except for security reasons I guess) or forgetting about implementing anything around it.

We're mildly clever that way.

I was hoping we could vm_map_mprotect or alike the kernel text temporarily. Do you know if this is feasible without resorting to a non portable hack? John. _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... This email sent to site_archiver@lists.apple.com