Page 1 of 1

Extract process "real" parent in case it called by launchd

PostPosted: Sun Jun 25, 2017 8:59 am
by adam81
Hi,

I'm working on an OSX tool that reveal the parent list of a selected process from the direct parent to its earliest ancestor (usually launchd).

However, this process chain may break if the examined process has indirectly spawned from launchd using events such as double clicking the bundle icon, or running the process from bash using command open. In these cases I'd like to see either bash or finder correspondingly.

Perhaps XPC messaging layer is the answer since I assume these events are passing to launchd through this mechanism. However, other available OSX frameworks are always welcome.

thanks,
Adam

Re: Extract process "real" parent in case it called by launc

PostPosted: Sat Aug 26, 2017 8:12 pm
by GoBlueDev
Try:
xpc_object_t xpc_copy_bootstrap(void);

Re: Extract process "real" parent in case it called by launc

PostPosted: Sat Aug 26, 2017 8:53 pm
by morpheus
Not going to work - xpc_copy_bootstrap will only get your own PID. The implementation (As you can see in jlaunchctl who launched) is

Code: Select all
   xpc_dictionary_set_uint64 (dict, "subsystem", 2);               // subsystem (3)
   xpc_dictionary_set_bool(dict, "self",1);                         // me
   xpc_dictionary_set_uint64(dict, "type",5);
   xpc_dictionary_set_uint64(dict, "handle",getpid());   // pid
   xpc_dictionary_set_uint64(dict, "routine", 711);

The problem is, that you can set self = 0 and handle= whichever pid, which would actually work (like in who launched),
BUT as of I think 10.12(?) requires an entitlement (com.apple.xpc.launchd.something-i-forgot).

The workaround is to execvp launchctl procinfo ... and parse the output.