Get process path from kernel extension

I'm using MAC policy API in one of my kernel extension. In file operation related callback functions, like mpo_vnode_check_open, I'd like to get the process's real path. I can use proc_selfpid() to get the PID, but I have no idea how to get process path from there.

The functionality I need is to check if a process is built-in system process or not. If I could get the process path, I'd compare it with some known ones(/bin, /sbin, /usr/bin, /usr/sbin, /usr/libexec, /System/Library, etc.). Could anybody show me some code on how to get process path? If possible, how to check if a process is from Apple? Thanks!

Up vote post of liang.zhou Down vote post of liang.zhou
1.5k views
Posted by
liang.zhou
Reply
Add a Comment

Replies

I'm using MAC policy API in one of my kernel extension.

To be clear, the kernel’s MAC framework is not considered KPI. See QA1574 Kernel's MAC framework.

I have no idea how to get process path from [a pid].

There’s no good way to do this within the kernel. You’ll need to bounce out to user space, at which point you can use the code signing API to check your requirements. THis post discusses that side of things in some detail.

IMPORTANT Doing this is going to be slow, so you need to cache the results on the kernel side.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I don’t know what OS you’re targeting, but the (now deprecated) kauth APIs could help here. You can listen for vnode events and whenever you detect in the callback that a vnode is being executed you can get the path from the respective vnode using vn_getpath(). You’d have to cache that information for every process that launches and later you can look the paths up by PID.

Posted by
marco.masser
Up vote reply of marco.masser Down vote reply of marco.masser
Add a Comment

The drawback of this method is for those processes launched before your kext be loaded, you don't have the vnode of those processes, so even if you have their pid, you still can't use vn_getpath() to get the full path of those processes...

Posted by
Dennis Chen
Up vote reply of Dennis Chen Down vote reply of Dennis Chen
Add a Comment