2 Replies
      Latest reply on Oct 10, 2019 4:41 AM by marco.masser
      liang.zhou Level 1 Level 1 (0 points)

        I'm using MAC policy API in one of my kernel extension. In file operation related callback functions, like mpo_vnode_check_open, I'd like to get the process's real path. I can use proc_selfpid() to get the PID, but I have no idea how to get process path from there.

        The functionality I need is to check if a process is built-in system process or not. If I could get the process path, I'd compare it with some known ones(/bin, /sbin, /usr/bin, /usr/sbin, /usr/libexec, /System/Library, etc.). Could anybody show me some code on how to get process path? If possible, how to check if a process is from Apple? Thanks!

        • Re: Get process path from kernel extension
          eskimo Apple Staff Apple Staff (12,095 points)

          I'm using MAC policy API in one of my kernel extension.

          To be clear, the kernel’s MAC framework is not considered KPI.  See QA1574 Kernel's MAC framework.

          I have no idea how to get process path from [a pid].

          There’s no good way to do this within the kernel.  You’ll need to bounce out to user space, at which point you can use the code signing API to check your requirements.  THis post discusses that side of things in some detail.

          IMPORTANT Doing this is going to be slow, so you need to cache the results on the kernel side.

          Share and Enjoy

          Quinn “The Eskimo!”
          Apple Developer Relations, Developer Technical Support, Core OS/Hardware
          let myEmail = "eskimo" + "1" + "@apple.com"

          • Re: Get process path from kernel extension
            marco.masser Level 1 Level 1 (0 points)

            I don’t know what OS you’re targeting, but the (now deprecated) kauth APIs could help here. You can listen for vnode events and whenever you detect in the callback that a vnode is being executed you can get the path from the respective vnode using vn_getpath(). You’d have to cache that information for every process that launches and later you can look the paths up by PID.