Multiple problems with ES_EVENT_TYPE_NOTIFY_DUP

Hello,

3 questions regarding Endpoint Security Framework:

  1. Does ESF support tracing the dup2(2) function? There is the ES_EVENT_TYPE_NOTIFY_DUP event, but it seems that it only reports dup(2), not dup2(2)?

  2. Does ESF support tracing the dup(2), and close(2) calls, if the file descriptor passed to these functions refer to a pipe handle instead of a file handle? If not, do you have any plans of extending the support for pipes as well?

  3. Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)? Currently this structure only supports the "target" file object, without any information which file descriptor has been cloned into which file descriptor, which is not helpful at all. For example, if we open file A and we get fd1, then open the same file A and we get fd2, then perform dup(fd1), then with ESF it seems that it's impossible to tell if we've duplicated fd1 or fd2. Also this model doesn't support dup2(2) usage at all.

Answered by DTS Engineer in 781938022

1. Does ESF support tracing the dup2(2) function?

Yes. Both dup and dup2 are reported via ES_EVENT_TYPE_NOTIFY_DUP event.

2. Does ESF support tracing the dup(2) … if the file descriptor passed to these functions refer to a pipe handle instead of a file handle?

No. The ES_EVENT_TYPE_NOTIFY_DUP event includes a es_event_dup_t structure, and that can only include information about a file.

In general, ES does not provide file descriptor information with events [1]. For example, es_event_close_t doesn’t include any descriptor info.

If not, do you have any plans of extending the support for pipes as well?

I can’t talk about The Future™. If you’d like to see such support added, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

3. Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)?

It depends on what you mean by ‘could’. I think you’re asking for ES to be extended to support this functionality. If so, see my previous point.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Although there are exceptions to that general rule.

Accepted Answer

1. Does ESF support tracing the dup2(2) function?

Yes. Both dup and dup2 are reported via ES_EVENT_TYPE_NOTIFY_DUP event.

2. Does ESF support tracing the dup(2) … if the file descriptor passed to these functions refer to a pipe handle instead of a file handle?

No. The ES_EVENT_TYPE_NOTIFY_DUP event includes a es_event_dup_t structure, and that can only include information about a file.

In general, ES does not provide file descriptor information with events [1]. For example, es_event_close_t doesn’t include any descriptor info.

If not, do you have any plans of extending the support for pipes as well?

I can’t talk about The Future™. If you’d like to see such support added, I encourage you to file an enhancement request describing your requirements.

Please post your bug number, just for the record.

3. Could the es_event_dup_t structure support reporting which file handle has been duplicated into which value (source file descriptor value, and target file descriptor value)?

It depends on what you mean by ‘could’. I think you’re asking for ES to be extended to support this functionality. If so, see my previous point.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Although there are exceptions to that general rule.

Thanks.

I've created FB13677854.

However, the feedback reporting system has completely garbled up the formatting of the description, so it's not very readable.

I've created FB13677854.

Thanks for that.

the feedback reporting system has completely garbled up the formatting

It looks fine from my perspective.

I’ve seen this before. It seem to be a bug in the Feedback Assistant web app itself (FB13300491). If you use the Feedback Assistant app, it should look OK. You can find that app in /System/Library/CoreServices/Applications.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I've created FB13677854.

Thanks for that.

the feedback reporting system has completely garbled up the formatting

It looks fine from my perspective.

I’ve seen this before. It seem to be a bug in the Feedback Assistant web app itself (FB13300491). If you use the Feedback Assistant app, it should look OK. You can find that app in /System/Library/CoreServices/Applications.


Oh, one last thing. Most folks building ES clients are doing so for an Organization team. If that’s the case here, I recommend that you share this feedback with your team. That gives it better visibility inside Apple. See here for the details.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Multiple problems with ES_EVENT_TYPE_NOTIFY_DUP
 
 
Q