2

I would like to retrieve the path of a file descriptor that I receive in a kernel extension (obtained from write_args->fd from SYS_write syscall) in OSX 10.10 (while preferably remaining compatible with OSX 10.6), like this on Linux. I have tried:

char filePath[PATH_MAX];
if (fcntl(wa->fd, F_GETPATH, filePath) != -1) {
    return filePath;
}

But fcntl is apparently not available from kernel space. Same holds for fd_lookup.

Any help is appreciated!

Vis
  • 301
  • 1
  • 10
  • Integer-based file descriptors don't make a lot of sense inside the kernel, as they're process-specific. In kernel space, fds are represented via `struct fileglob`, but this is a private type (Apple may change its layout/binary compatibility without notice) and I'm not aware of any public APIs for manipulating them. You're probably trying to do something in kernel space that would be better handled in user space. Note also that reassembling a full path to a vnode is a fairly slow operation. (see `vn_getpath()`) – pmdj Dec 06 '15 at 15:46
  • Thank you @pmdj. It is for private purposes only, so not a problem if changed by Apple in a future update. Can you provide an example of how reaching the `struct fileglob` from a `struct proc` would work? – Vis Dec 07 '15 at 07:41
  • The main purpose is to monitor which files are being written/used by a process. I can in fact obtain the path of an open call easily. Can I assume that a write call to an fd is only possible after the proc has performed an open call? In that case, monitoring open calls would "suffice"... – Vis Dec 07 '15 at 10:35
  • Are you sure you need the fd specifically? The MAC framework has a policy callback `mpo_vnode_check_write`, which provides you with the `vnode_t` being written. You can access the vnode's path, although I don't recommend doing so on every write event callback; maybe cache the result in some way if you need it. Do note that the write may not succeed, as you get the callback *before* the write itself happens. – pmdj Dec 07 '15 at 11:50

0 Answers0