I want to learn to develop a Mac OS filter scheme driver and I'm using a modified version of the SimpleCryptoDisk sample app from the book Mac OS X Internals. The source I am using is here.
As a next goal I want to modify this to track which applications are doing the reading and writing, and eventually print out a number of bytes that was read and written by each application.
I see in the read() call there is a pointer to the client (* IOService), however I haven't found any way to get the task/process from that object. I was thinking of calling an API to determine the current process, but since this code is running in a KEXT (in the kernel) I don't think that will help me identify a user-land process.
I found there an IOServer API called newUserClient() that contains task_t, which I assume is enough to get me the app name somehow. However I'm not sure how to link this call with the read() call.
Normally I'd just try a bunch of things experimentally, but since I am working in the kernel I want to tread carefully at first and avoid messing things up. So if someone can give me any hints to get the process name for a read or write that would be great.
This is pretty much the best you're going to get; the API doesn't pass the ultimate originator of the I/O through. In most cases though, the call will be made as a result of file system activity triggered by a file I/O syscall, and will be running in the (kernel) context of a user-space process. So the
proc_*
APIs (from<sys/proc.h>
will most of the time give you the information you seem to need.IOService::newUserClient()
deals with user processes directly interfacing with kernelIOService
objects via the user-space IOKit libraries. This isn't howIOStorage
I/O calls are invoked though, they go through theIOMediaBSDClient
which provides the glue between block device files in/dev/
and theIOStorage
stack.