Struct es_event_exec_t

#[repr(C)]
pub struct es_event_exec_t {
    pub target: ShouldNotBeNull<es_process_t>,
    pub dyld_exec_path: es_string_token_t,
    pub anon_0: es_event_exec_t_anon_0,
}

Available on macOS only.

Execute a new process

Process arguments, environment variables and file descriptors are packed, use API functions to access them: es_exec_arg(), es_exec_arg_count(), es_exec_env(), es_exec_env_count(), es_exec_fd() and es_exec_fd_count().

The API may only return descriptions for a subset of open file descriptors; how many and which file descriptors are available as part of exec events is not considered API and can change in future releases.

The CPU type and subtype correspond to CPU_TYPE_* and CPU_SUBTYPE_* macros defined in <mach/machine.h>.

Fields related to code signing in target represent kernel state for the process at the point in time the exec has completed, but the binary has not started running yet. Because code pages are not validated until they are paged in, this means that modifications to code pages would not have been detected yet at this point. For a more thorough explanation, please see the documentation for es_process_t.

There are two es_process_t fields that are represented in an es_message_t that contains an es_event_exec_t. The es_process_t within the es_message_t struct (named process) contains information about the program that calls execve(2) (or posix_spawn(2)). This information is gathered prior to the program being replaced. The other es_process_t, within the es_event_exec_t struct (named target), contains information about the program after the image has been replaced by execve(2) (or posix_spawn(2)). This means that both es_process_t structs refer to the same process (as identified by pid), but not necessarily the same program, and definitely not the same program execution (as identified by pid, pidversion tuple). The audit_token_t structs contained in the two different es_process_t structs will not be identical: the pidversion field will be updated, and the UID/GID values may be different if the new program had setuid/setgid permission bits set.

Cache key for this event type: (process executable file, target executable file).

Fields

target: ShouldNotBeNull<es_process_t>

The new process that is being executed

dyld_exec_path: es_string_token_t

Available on crate feature macos_13_3_0 only.

The exec path passed up to dyld, before symlink resolution. This is the path argument to execve(2) or posix_spawn(2), or the interpreter from the shebang line for scripts run through the shell script image activator.

Field available only if message version >= 7.

anon_0: es_event_exec_t_anon_0

See variants of union

Implementations

impl es_event_exec_t

Accessors for ShouldNotBeNull fields

pub unsafe fn target(&self) -> &es_process_t

Gives a references to the field while checking for null.

Safety

See ShouldNotBeNull safety requirements.