Current state of trace mode?

[Joshua Root]

On 2012-9-2 14:36 , Jordan K. Hubbard wrote:
> 
> I also got distracted by the notion of creating a MAC policy (kernel
> module) instead since MAC has hooks for every single filesystem
> operation and allows one to implement tracing below the syscall layer
> such that it doesn't matter whether the syscalls are 32 bit, 64 bit or
> how the syscalls which manipulate files change or evolve over time.   To
> be honest, that would be the architecturally superior approach given the
> two alternatives, but would also (as I quickly found out) be rather more
> difficult to do since implementing the kernel module and the hooks in
> macports to trigger the hooks on all of its (the subject's) file objects
> is kind of advanced class and MAC is not an officially supported API -
> it's more of an internal implementation detail of XNU.

I completely agree, it would be better for the OS to provide the
mechanisms. Please make it happen. ;-)

With sandboxing clearly catching on on Apple, I'd kind of been hoping
that we would get an API for this sort of thing along with it.

> All that said, the functionality is still very cool, regardless of how
> it's implemented, and I hope that someone does dive on the challenge
> since proper enforcement and validation of what MacPorts is doing for a
> specific port could really provide some much needed safety belting of
> the process, particularly as the ports collection continues to grow.

Indeed.

- Josh