Finding out from which path a process was launched

I’m trying to find out in a kernel extension exactly what path was used to launch a process. What I mean is:


If I launch ping by typing either of the following commands in Terminal, I want to get “/sbin/ping”

$ ping
$ /sbin/ping


But if I do the following, I want to get the path “/foo/bar/my_ping” (a symlink):

$ ln -s /sbin/ping /foo/bar/my_ping
$ /foo/bar/my_ping


Note that all examples use the same executable on disk, i.e. “/sbin/ping”.


I tried registering for callbacks using kauth_listen_scope() in the scope “KAUTH_SCOPE_VNODE” and looking at the path when the callback is called with the action “KAUTH_VNODE_EXECUTE”, but since those are vnodes, that’s obviously too late and is always “/sbin/ping”.


I also tried the scope “KAUTH_SCOPE_FILEOP” and checking the path when the callback is called with the action “KAUTH_FILEOP_EXEC”, but that’s always “/sbin/ping”, too.


What else can I try?

Up vote post of marco.masser Down vote post of marco.masser
706 views
Posted by
marco.masser
Reply
Add a Comment

Replies

I don’t think you’ll be able to do this from kernel space. I recommend you bounce out to user space, at which point you can use the code signing API (

<Security/SecCode.h>
) to get real information about the code’s identity.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment