I'm using MAC policy API in one of my kernel extension.
To be clear, the kernel’s MAC framework is not considered KPI. See QA1574 Kernel's MAC framework.
I have no idea how to get process path from [a pid].
There’s no good way to do this within the kernel. You’ll need to bounce out to user space, at which point you can use the code signing API to check your requirements. THis post discusses that side of things in some detail.
IMPORTANT Doing this is going to be slow, so you need to cache the results on the kernel side.
Share and Enjoy
Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware
let myEmail = "eskimo" + "1" + "@apple.com"
I don’t know what OS you’re targeting, but the (now deprecated) kauth APIs could help here. You can listen for vnode events and whenever you detect in the callback that a vnode is being executed you can get the path from the respective vnode using vn_getpath(). You’d have to cache that information for every process that launches and later you can look the paths up by PID.