4

I'm maintaining an OSX tool that reveal the parents tree of a selected process from the direct parent to its earliest ancestor (usually launchd).

However, this process chain may break if the examined process has indirectly spawned from launchd using events such as double clicking the bundle icon, or running the process from bash using command open. In these cases I'd like to see either bash or finder correspondingly.

Perhaps XPC messaging layer is the answer since I assume these events are passing to launchd through this mechanism. However, other available OSX frameworks are always welcome.

EDIT:

I understand that if a process detaches itself while running I couldn't restore it's ppid, but my goal is to trace the caller that initiate process creation.

thanks

Willeke
  • 14,578
  • 4
  • 19
  • 47
Zohar81
  • 4,554
  • 5
  • 29
  • 82
  • Not entirely sure what you're looking for, but if a process detaches itself, it has pid 1 (init) as its direct parent .... –  Jun 25 '17 at 08:52
  • I understand that I couldn't not get the ppid when a process detaches itself in the middle of life. But perhaps there's a way to trace the process caller while it's just spawned from double click event, by tracing the communication between finder and launchd – Zohar81 Jun 25 '17 at 08:59

2 Answers2

7

This feature is undocumented. It might break at any OS update.

typedef pid_t (*pidResolver)(pid_t pid);

pidResolver resolver = dlsym(RTLD_NEXT, "responsibility_get_pid_responsible_for_pid");

pid_t trueParentPid = resolver(pid);

a) this method is private

b) it needs root privileges

For example: if you launch Safari.app a new process named "Safari Networking" is also created. If you inspect this in Activity Monitor you'll only see a ppid of 1.

The above code snippet will return the pid of the Safari process. As seen when looking at "All Processes, Hierarchically" where "Safari Networking" is grouped under "Safari".

jaco0646
  • 15,303
  • 7
  • 59
  • 83
Frank Fenn
  • 86
  • 1
  • 2
  • Hi and thanks for your contribution. it's indeed a great symbol and I wonder if you know how it works... does it send an xpc to question the `launchd` about the parent process ? if not, where does this parent/child connection located ? – Zohar81 Feb 05 '19 at 12:20
  • The symbol comes from libquarantine.dylib, which calls out to Quarantine.kext in the kernel to copy this information out of the process. – saagarjha Jan 10 '21 at 14:16
0

What you're seeing is correct behaviour.

When a user opens an application bundle from Finder, or by using the open command in the Terminal, Launch Services is responsible for executing the application.

When an application is introduced to OS X / macOS, it is registered with Launch Services, according to its bundle identifier, as declared in the bundle's Info.plist file.

When the user double-clicks or uses open in the Terminal, Launch Services receives the bundle identifier and launches the application that has previously been registered.

It should be noted that issues can occur if an application bundle's identifier is not unique. With two app bundles that have the same version and application identifier, Launch Services will execute the first application that it registered, but it may not be the one the user thinks they're running!

In contrast, if you use the Terminal to directly execute the binary within an application bundle, without the use of open, its parent will be the shell application used by Terminal. For example: -

/Applications/Calculator.app/Contents/MacOS/Calculator
TheDarkKnight
  • 27,181
  • 6
  • 55
  • 85
  • hi and thanks for replying me question. I know it's the correct behavior but I wonder if there's any way to be able to trace the entity that initiated the process creation, whether it's 'finder' double click event or 'open' command. – Zohar81 Jun 26 '17 at 16:32
  • From user mode, no. If you are really determined, I expect you could do it with a kernel extension, but this is way beyond an answer to a SO question. – TheDarkKnight Jun 27 '17 at 07:50
  • I'm willing to write a kext if necessary, but I thought the messaging to launchd aren't going through the kernel, unless xpc is going through the mach messages .. perhaps you can just give me some general guidelines for where to start ? thanks a lot – Zohar81 Jun 27 '17 at 12:26
  • As launchd is handling it, I expect it to be XPC, which is built on mach messaging. launchd uses mach messages for `on-demand` launching of processes, which is what is happening in this case. – TheDarkKnight Jun 27 '17 at 12:50