在Mac OS X上挂载批准回调 [英] Mount approval callback on mac OS X

问题描述

我想在Mac OS X上授权USB/CD.现在，我正在使用DiskArbitration框架在用户模式下获取MountApprovalCallback.但是此回调的问题在于无法保证. 如果我要回叫，我正在使用CFUserNotificationReceiveResponse()接受用户的密码. 但是当同时显示提示时，用户可以打开DiskUtility并可以挂载设备

I want to Authorize USB/CD on Mac OS X. Now i am using DiskArbitration framework to get MountApprovalCallback in user mode. But the problem with this callback is that there is no assurance of it. And if i'll get callback i am using CFUserNotificationReceiveResponse() to accept password from user. But when prompt is shown at the same time user can open DiskUtility and can mount a device

所以

1. 还有其他方法可以获取挂载批准回调或授权设备吗?
2. 我如何在内核模式下处理它?<​​/li>

1. Is there any other way to get mount approval callback or to authorize a device?
2. How i can handle it in kernel mode?

谢谢.

推荐答案

在kext中，您可以通过MAC(TrustedBSD)策略框架中的mpo_mount_check_mount回调获取文件系统安装回调的授权回调.您可以决定安装座是否应该继续前进.我怀疑您不会从cred参数获得有关登录用户的任何信息，因为mount syscall可能是由以root身份运行的守护程序启动的.我不知道您实际上是在做什么，因此这可能不是解决您特定情况的最佳方法.

In a kext, you can get an authorisation callback for file system mount callbacks via the mpo_mount_check_mount callback in the MAC (TrustedBSD) policy framework. You can decide whether the mount should go ahead or not in there. I suspect you won't get any information about the logged-in user from the cred argument, as the mount syscall is probably initiated by the daemon running as root. I don't know what you're actually trying to do, so this might not be the best way to approach the problem for your specific case.

/**
  @brief Access control check for mounting a file system
  @param cred Subject credential
  @param vp Vnode that is to be the mount point
  @param vlabel Label associated with the vnode
  @param cnp Component name for vp
  @param vfc_name Filesystem type name

  Determine whether the subject identified by the credential can perform
  the mount operation on the target vnode.

  @return Return 0 if access is granted, otherwise an appropriate value for
  errno should be returned.
*/
typedef int mpo_mount_check_mount_t(
    kauth_cred_t cred,
    struct vnode *vp,
    struct label *vlabel,
    struct componentname *cnp,
    const char *vfc_name
);

请注意，这是不受支持的KPI，因此Apple表示在以后的版本中它可能会消失或中断.实际上，策略回调函数签名在主要的OS X版本之间经常发生变化，因此您可能需要在运行时检查OS X的版本，并对不同的版本使用不同的功能.您还需要了解Apple发行的所有Beta的最新信息，以查看它们是否破坏了您的代码.

Note that this is an unsupported KPI, so Apple says it might go away or break in a future release. Indeed, the policy callback function signatures frequently change between major OS X releases, so you may need to check OS X version at runtime and use different functions for different versions. You'll also need to stay up to date with any betas that Apple releases, to see if they break your code.

解决了这个问题，实际使用方法如下:

With that out of the way, here's how you actually use it:

• 您需要针对MAC框架KPI进行链接，因此将com.apple.kpi.dsep添加到您的kext的OSBundleLibraries词典中. (它使用darwin版本控制，因此请使用与其他com.apple.kpi.*捆绑包相同的版本)
• #include <security/mac_policy.h> 您的代码(已在Kernel.framework中提供)
• 创建全局变量，或在启动时分配一些内存以容纳struct mac_policy_ops，并初始化您感兴趣的任何函数指针字段，例如mpo_mount_check_mount.
• 启动kext时，请使用mac_policy_register()注册策略并保存其返回的句柄.您需要使用mac_policy_conf结构配置策略，在其中将mpc_ops指向策略结构，将mpc_loadtime_flags指向MPC_LOADTIME_FLAG_UNLOADOK，将mpc_name指向您的kext的反向DNS标识符，mpc_fullname转换为人类可读的字符串，然后将其他所有内容初始化为零.
• 您将立即开始接收回调的调用，可能同时从许多线程和进程中接收回调，因此请确保将回调设为线程安全的.
• 在卸载之前，您的kext需要使用mac_policy_unregister()和从mac_policy_register()收到的句柄注销.

• You'll need to link against the MAC framework KPI, so add com.apple.kpi.dsep to your kext's OSBundleLibraries dictionary. (it uses darwin versioning, so use the same version as for the other com.apple.kpi.* bundles)
• #include <security/mac_policy.h> in your code (it's already provided in Kernel.framework)
• Create a global variable, or allocate some memory on startup to hold a struct mac_policy_ops, and initialise any of the function pointer fields you're interested in, e.g. mpo_mount_check_mount.
• When your kext starts up, register your policy using mac_policy_register() and save the handle it returns. You'll need to configure your policy using a mac_policy_conf struct, where you set mpc_ops to point to your policy struct, mpc_loadtime_flags to MPC_LOADTIME_FLAG_UNLOADOK, mpc_name to a reverse-DNS identifier for your kext, mpc_fullname to a human-readable string, and zero-initialise everything else.
• You will immediately start receiving calls to your callbacks, possibly concurrently from many threads and processes, so be sure to make your callbacks threadsafe.
• Before unloading, your kext needs to deregister using mac_policy_unregister() and the handle you received from mac_policy_register().

可以在中找到更多信息头文件.

这篇关于在Mac OS X上挂载批准回调的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！