Get process path from kernel extension

Question

Created Sep ’19

Replies 3

Boosts 0

Views 1.7k

Participants 4

I'm using MAC policy API in one of my kernel extension. In file operation related callback functions, like mpo_vnode_check_open, I'd like to get the process's real path. I can use proc_selfpid() to get the PID, but I have no idea how to get process path from there.

The functionality I need is to check if a process is built-in system process or not. If I could get the process path, I'd compare it with some known ones(/bin, /sbin, /usr/bin, /usr/sbin, /usr/libexec, /System/Library, etc.). Could anybody show me some code on how to get process path? If possible, how to check if a process is from Apple? Thanks!

Boost

Answer 1

DTS Engineer OP

Apple

Sep ’19

I'm using MAC policy API in one of my kernel extension.

To be clear, the kernel’s MAC framework is not considered KPI. See QA1574 Kernel's MAC framework.

I have no idea how to get process path from [a pid].

There’s no good way to do this within the kernel. You’ll need to bounce out to user space, at which point you can use the code signing API to check your requirements. THis post discusses that side of things in some detail.

IMPORTANT Doing this is going to be slow, so you need to cache the results on the kernel side.

Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware

let myEmail = "eskimo" + "1" + "@apple.com"

0

Answer 2

marco.masser OP

Oct ’19

I don’t know what OS you’re targeting, but the (now deprecated) kauth APIs could help here. You can listen for vnode events and whenever you detect in the callback that a vnode is being executed you can get the path from the respective vnode using vn_getpath(). You’d have to cache that information for every process that launches and later you can look the paths up by PID.

0

Answer 3

Dennis Chen OP

Jun ’20

The drawback of this method is for those processes launched before your kext be loaded, you don't have the vnode of those processes, so even if you have their pid, you still can't use vn_getpath() to get the full path of those processes...

0