Daniel Roethlisberger
Daniel Roethlisberger
The full solution depends on #6, marking this blocked. Might write a replacement using audit(4) but that involves tracking an awful amount of file events, creating a much bigger performance...
Blocked by #6
Unblock, as #6 is resolved.
This seems not to be easily possible with the current cdev interface and using supported KPIs only, because the KPIs in `bsd/sys/codesign.h` are private.
Reference: https://forums.developer.apple.com/thread/108803
A file-based solution can detect properly installed kexts, but uid 0 can load kexts from anywhere if the bundle is owned by root on disk, those are not captured. Watching...
File-based partial solution depends on #26.
There main reason why I decided to use audit events instead of `/dev/fsevents` for filesystem monitoring so far was that audit events are synchronous in relation to process events. Synchronizing...
Renaming this issue to reduce the scope to browser extensions. There is issue #16 for kext load events.
Depends on #26 in order to deliver high quality events