Endpoint Security and Vnode_lookup

Hi,

We have been using kauth_listen_scope KAUTH_SCOPE_VNODE. We are planning to start implementing end point security. Earlier as a part of auth_allow, we were using certain parameters from vnode structure to allow or deny an operation. What will be the alternative now in endpoint security? Or is it possible to have a kernel extension just to fetch the vnode of the file from the endpoint security application? Or is there a better way to proceed?

Also is it possible to have kext and system extensions as a part of the same application?

Thanks

Or is it possible to have a kernel extension just to fetch the vnode
of the file from the endpoint security application?

No. ES is meant to act as a replacement for kauth.

we were using certain parameters from vnode structure to allow or deny
an operation.

What vnode structures specifically?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
We are looking at vnode_fsnode of the vnode if that is what you are asking. We use this value to get smb_node to check if the offline bit is set or not. Any other alternative for this will be highly useful for us. We are blocking apps based on this value.

Since this value will be able to be fetched only from the kernel, is it possible to have a kernel extension just for this purpose and do the blocking from the endpoint security side?

We use this value to get smb_node to check if the offline bit is set
or not.

I have to be clear that this has never been supported. vnode_fsnode is intended to be used by VFS plug-ins to hang their own data off a vnode. That data is private to the VFS plug-in. The smb_node type is not in the macOS SDK for a reason. Other code within the kernel is not supposed to be rummaging around in this private structure.

With regards the offline bit, the last time I checked there was no API to get or set this. However, it’s been a while since I looked at this in depth.

Did you file an enhancement request for an offline bit API? If so, what was the bug number?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"
Endpoint Security and Vnode_lookup
 
 
Q