Kauth event upon start process. - prevention capabilities

Question

I'd like to get event in kernel on each new process that starts (fork+execve or posix_spawn), and be able to prevent this operations.

The first option would be using Mac framework named mpo_vnode_check_exec by Hooking to this method with function that return 0 when access is granted or check deferred to next hook.. non zero returned value means access is refused right away.

Unfortunately, this framework is unsupported by apple, and I wish to use a stable alternative like kauth fileop scope with KAUTH_FILEOP_EXEC flag. However, this framework is for detection only and lacks prevention capabilities..

Perhaps there's a way to prevent the process from running when I get relevant kauth callback on process creation, or halt the process from running until I decide whether it should run or not (and enforce the verdict in another thread).

thanks

score 2 · Accepted Answer · answered Sep 13 '18 at 15:28

2

However, this framework is for detection only and lacks prevention capabilities..

Correct, if you're only focussing on the File scope.

Register with the Vnode scope and your callback returns whether or not access is allowed.

kauth_listen_scope(KAUTH_SCOPE_VNODE, &myCallback, NULL);

Finally, note that this scope is very noisy, as every type of access to every resource is reported.

answered Sep 13 '18 at 15:28

TheDarkKnight

27,181
6
55
85

Hi and sorry for the late response, In order to decrease the noise, and if I only care about new processes, can I use the flag `KAUTH_VNODE_EXECUTE` ? – Zohar81 Oct 02 '18 at 07:14
Yes, you can filter on the File Operation Scope – TheDarkKnight Oct 03 '18 at 06:42

Kauth event upon start process. - prevention capabilities

1 Answers1