Page 1 of 1

posix_spawn and KAUTH_FILEOP_EXEC anomaly

PostPosted: Mon Jul 18, 2016 3:27 pm
by LuigiVampa
So it turns out the famous EXEC handler in KAUTH_SCOPE_FILEOP behaves very differently when called from execve() as opposed to being called from posix_spawn()...
In the former (proper and normal, for gds sake) case, it is called from the child's process context, but the in the latter it is called from the parent's one... So the PID I get in the callback in the latter case is of the parent (from reading posix_spawn()'s code it is actually clear why this is the case)
This means that if I want to do some proc/mem analysis from within this callback, I cannot do it if a process was created via posix_spawn().
In addition, there appears to be no handler (MAC, KAUTH or otherwise) which can be used to intercept a child process in such a way that I have time to do some analysis thereof...

Any ideas? At the very least, any ideas how to get the PID of the child process from the KAUTH callback after being called from posix_spawn()?