I’m trying to find out in a kernel extension exactly what path was used to launch a process. What I mean is:
If I launch ping by typing either of the following commands in Terminal, I want to get “/sbin/ping”
$ ping
$ /sbin/ping
But if I do the following, I want to get the path “/foo/bar/my_ping” (a symlink):
$ ln -s /sbin/ping /foo/bar/my_ping
$ /foo/bar/my_ping
Note that all examples use the same executable on disk, i.e. “/sbin/ping”.
I tried registering for callbacks using kauth_listen_scope() in the scope “KAUTH_SCOPE_VNODE” and looking at the path when the callback is called with the action “KAUTH_VNODE_EXECUTE”, but since those are vnodes, that’s obviously too late and is always “/sbin/ping”.
I also tried the scope “KAUTH_SCOPE_FILEOP” and checking the path when the callback is called with the action “KAUTH_FILEOP_EXEC”, but that’s always “/sbin/ping”, too.
What else can I try?