We include the <sys/proc_internal.h> in our kext, but the build process complains that:
"Field has incomplete type 'struct klist' " for the struct proc{ ... }
Does anybody knows where the definition of 'struct klist' is?
Regards,
Dennis
We include the <sys/proc_internal.h> in our kext, but the build process complains that:
"Field has incomplete type 'struct klist' " for the struct proc{ ... }
Does anybody knows where the definition of 'struct klist' is?
Regards,
Dennis
Found this, if that may help, with struct proc definition.
includes may give the searched info ?
https://opensource.apple.com/source/xnu/xnu-201/bsd/sys/proc.h.auto.html
The struct proc there doesn't have the struct klist member, we want to use that struct in our kext, but when we include the 'proc_internal.h' in our source code, we can't find the struct klist definition: https://github.com/apple/darwin-xnu/blob/master/bsd/sys/proc_internal.h#L346
Actually we have lck_mtx_t member variable definition issue either, but we can find its implementation when searching xnu source code, only struct klist is an exceptional...
We include the
in our kext …<sys/proc_internal.h>
What’s you’re high-level goal here? The contents of
<sys/proc_internal.h>
are… well… internal, and thus aren’t available as part of any KPI. Thus you won’t be able to use them in any KEXT that you intend to ship to real users.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Ah, we'd like to hook the process creation via the mac_cred_check_label_update_execve, meaning when a process created in the system our implementation of mac_cred_check_label_update_execve will be invoked, in that implementation we want to get some process relevant information from the passed struct proc *p , such as the {session id, tty, process group...} which can't be fetched directly from the public KPIs..., so we copy the proc_internal.h to the xcode SDK and want to figure out the actual struct proc layout of the memory block pointered by the struct proc *p passed.
That's the story, any suggestion about that?
The kernel’s MAC framework is not KPI:
QA1574 Kernel's MAC framework specifically calls that out.
QA1575 Supported KPIs offers some general advice on how to determine whether something is a supported KPI.
So, are you planning to ship this to real users? Or are you just experimenting? If it’s the former, you need to step back and rethink your entire approach.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
Thanks eskimo, that's be very helpful. I am just experimenting and see if we can get something about proc. So the thing should be like:
After the xcode installed, we need to check the SDK header to see if that function is a KPI ($(xcrun -sdk macosx -show-sdk-path)/System/Library/Frameworks/Kernel.framework/Headers).
BTW, where is the FindKPI.py after googled? It will be better if you can point me to that 🙂
where is the FindKPI.py
It was originally attached to QA1575, but somewhere in the ‘evolution’ of our documentation publishing system it got dropped. Sorry about that.
I’ve pasted the code in below. It hasn’t been updated in a while (go Python 2.5!) but it still meets my needs. However, I encourage you to use
kextlibs
, which ships with the system and thus gets updated as the system evolves.
Share and Enjoy
—
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
#! /usr/bin/python
import sys
import os
import subprocess # requires Python 2.5
import plistlib
def addExportedSymbols(symDict, kextPath):
infoPlist = plistlib.readPlist(os.path.join(kextPath, "Info.plist"))
if infoPlist.has_key('CFBundleExecutable'):
bundleID = infoPlist['CFBundleIdentifier']
imagePath = os.path.join(kextPath, infoPlist['CFBundleExecutable'])
symbols = subprocess.Popen(
["nm", "-j", imagePath],
stdout=subprocess.PIPE
).communicate()[0].split("\n")
for sym in symbols:
if sym != "":
assert not symDict.has_key(sym)
symDict[sym] = bundleID
def getSymbolsForExtensions():
kextDir = "/System/Library/Extensions/System.kext/PlugIns"
symDict = {}
for kextName in os.listdir(kextDir):
# Don't consider certain KEXTs. Specifically exclude the
# Unsupported and MACFramework KEXTs. Also, ignore any
# "6.0" KEXTs, which are present for compatibility only.
if ( kextName not in ("Unsupported.kext", "MACFramework.kext")
and not os.path.splitext(kextName)[0].endswith("6.0") ):
addExportedSymbols(symDict, os.path.join(kextDir, kextName))
return symDict
if len(sys.argv) < 2:
print >> sys.stderr, "usage: %s name..." % os.path.basename(sys.argv[0])
print >> sys.stderr, " where name is either a C function name or a C++ class name"
sys.exit(1)
else:
symDict = getSymbolsForExtensions()
for arg in sys.argv[1:]:
sym = "_" + arg
if sym in symDict:
id = symDict[sym]
else:
sym = "__ZTV%d%s" % (len(arg), arg)
if sym in symDict:
id = symDict[sym]
else:
id = "*** not found ***"
print "%s %s" % (arg, id)
That's really convinent for me interms of the kext development, thanks eskimo 🙂 !