Tuesday, September 25, 2018

A vnode pager and a shared libraries cache.

A step by step description to find a vnode backing a memory mapping for a particular address. Lets find a vnode behind 0x0007fff51b41000 address which according to vmmap output belongs to /usr/lib/libSystem.B.dylib mapping for a __TEXT segment
Let's locate a task, ping in this case.
(lldb) showalltasks
task                 vm_map               ipc_space            #acts flags    pid       process             io_policy  wq_state  command             
....
0xffffff803e0ce7a0   0xffffff803e957200   0xffffff803e93a9c0       1 D        594   0xffffff803fc986d0                -1 -1 -1    ping   
Next we inspect its ```vmmap``
(lldb) showmapvme 0xffffff803e957200
vm_map             pmap               size                    #ents              rsize              start:end               
0xffffff803e957200 0xffffff803e954c90 0x00000001051cd000         37                202 0x00000001087f3000:0x00007fffffe00000
entry                           start:end                      #pgs tag.kmod prot&flags object             offset            
0xffffff803eb47640 0x00000001087f3000:0x00000001087f9000          6   0      57         0xffffff8045dd5700 0x0               
0xffffff803eb47910 0x00000001087f9000:0x00000001087fa000          1   0      37         0xffffff8044538800 0x0               
0xffffff803eb47050 0x00000001087fa000:0x000000010880a000         16   0      37         0xffffff8044538000 0x0               
0xffffff803f789550 0x000000010880a000:0x000000010880e000          4   0      17n        0xffffff8044538500 0x7000            
0xffffff803f789be0 0x000000010880e000:0x0000000108810000          2  73      37         0xffffff8044538200 0x0               
0xffffff803ef8e550 0x0000000108810000:0x0000000108811000          1   1      17n        0xffffff8044538900 0x0               
0xffffff803ad2b320 0x0000000108811000:0x0000000108812000          1   1      37n        0xffffff8044538900 0x1000            
0xffffff803f789e10 0x0000000108812000:0x0000000108813000          1   1      07         0xffffff8044538900 0x2000            
0xffffff803690c820 0x0000000108813000:0x0000000108817000          4   1      37n        0xffffff8044538900 0x3000            
0xffffff803f789000 0x0000000108817000:0x0000000108818000          1   1      07         0xffffff8044538900 0x7000            
0xffffff803690ca00 0x0000000108818000:0x0000000108819000          1   1      07         0x0000000000000000 0x0               
0xffffff803ef8eb90 0x0000000108819000:0x000000010881d000          4   1      37n        0xffffff8044538100 0x0               
0xffffff803ef8e230 0x000000010881d000:0x000000010881e000          1   1      07         0x0000000000000000 0x5000            
0xffffff80367b6140 0x000000010881e000:0x000000010881f000          1   1      17         0xffffff8044538a00 0x0               
0xffffff803d1e72d0 0x000000010881f000:0x0000000108820000          1   0      13         0xffffff80368b8400 0x0               
------------------ 0x0000000108820000:0x000000011852a000      64778
0xffffff803f789230 0x000000011852a000:0x0000000118575000         75   0      57         0xffffff8045dd5b00 0x0               
0xffffff803f789dc0 0x0000000118575000:0x0000000118578000          3   0      37         0xffffff8044538700 0x0               
0xffffff803f7895f0 0x0000000118578000:0x00000001185ad000         53   0      37         0xffffff8044538400 0x0               
0xffffff803f7895a0 0x00000001185ad000:0x00000001185c8000         27   0      17n        0xffffff8035f2e300 0x4f000           
------------------ 0x00000001185c8000:0x00007fb925c00000 34284295736
0xffffff80367b6230 0x00007fb925c00000:0x00007fb925d00000        256   7      37n        0xffffff8044538b00 0x0               
0xffffff803d1e7320 0x00007fb925d00000:0x00007fb925e00000        256   7      37n        0xffffff8044537f00 0x0               
0xffffff803f9ee3c0 0x00007fb925e00000:0x00007fb925f00000        256   7      37         0xffffff8044537e00 0x0               
------------------ 0x00007fb925f00000:0x00007fb926000000        256
0xffffff803ad2bd70 0x00007fb926000000:0x00007fb926800000       2048   2      37         0xffffff8044538c00 0x0               
0xffffff803f9eeaf0 0x00007fb926800000:0x00007fb927000000       2048   2      37n        0xffffff8044537200 0x0               
------------------ 0x00007fb927000000:0x00007ffee340d000   73122829
0xffffff803f789730 0x00007ffee340d000:0x00007ffee6c0d000      14336  30      07         0x0000000000000000 0x0               
0xffffff803f789a50 0x00007ffee6c0d000:0x00007ffee740d000       2048  30      37         0xffffff8044538600 0x0               
------------------ 0x00007ffee740d000:0x00007fff00000000     101363
0xffffff803f789d20 0x00007fff00000000:0x00007fff80000000     524288  32      17snp      submap:0xffffff8035fa3600 0x0               
0xffffff803ad2b000 0x00007fff80000000:0x00007fff8be00000      48640  35      17sn       submap:0xffffff8035fa3600 0x80000000        
0xffffff803ad2b2d0 0x00007fff8be00000:0x00007fff8c000000        512  35      37         0xffffff8044538e00 0x0               
0xffffff803ad2b780 0x00007fff8c000000:0x00007fff8c200000        512  35      17sn       submap:0xffffff8035fa3600 0x8c000000        
0xffffff803ad2b280 0x00007fff8c200000:0x00007fff8c400000        512  35      37         0xffffff8044538f00 0x0               
0xffffff803f7899b0 0x00007fff8c400000:0x00007fff8c600000        512  35      37         0xffffff8044538d00 0x0               
0xffffff803f789d70 0x00007fff8c600000:0x00007fff8c69b000        155  35      37         0xffffff8044538300 0x0               
0xffffff803f789960 0x00007fff8c69b000:0x00007fffc0000000     211301  35      17sn       submap:0xffffff8035fa3600 0x8c69b000        
0xffffff803f789aa0 0x00007fffc0000000:0x00007fffffe00000     261632  32      17snp      submap:0xffffff8035fa3600 0xc0000000        
0xffffff803f789fa0 0x00007fffffe00000:0x00007fffffe01000          1   0      11s        submap:0xffffff802d4e1a20 0x0               
------------------ 0x00007fffffe01000:0x00007fffffeb6000        181
0xffffff803f7892d0 0x00007fffffeb6000:0x00007fffffeb7000          1   0      55s        submap:0xffffff802d4e1c20 0x0
The address we are looking for belongs to a range backed by a submap 0xffffff8035fa3600. Let's inspect this submap.
(lldb) showmapvme -v 0xffffff8035fa3600
vm_map             pmap               size                    #ents              rsize              start:end               
0xffffff8035fa3600 0xffffff80353d9598 0x0000000045704000         62              34581 0x0000000000000000:0x00000000ffe00000
entry                           start:end                      #pgs tag.kmod prot&flags object             offset            
------------------ 0x0000000000000000:0x0000000024192000     147858
0xffffff8036052780 0x0000000024192000:0x000000005421f000     196749   0      55n        0xffffff8035fa4500 0x0               
------------------ 0x000000005421f000:0x0000000084192000     196467
0xffffff803b1f9690 0x0000000084192000:0x0000000084200000        110   0      33n        0xffffff8035fa4500 0x3008d000        
0xffffff803b1f9f50 0x0000000084200000:0x0000000084400000        512   0      33n        0xffffff8035fa4500 0x300fb000        
0xffffff803621f960 0x0000000084400000:0x0000000084600000        512   0      33n        0xffffff8035fa4500 0x302fb000        
0xffffff803b24baa0 0x0000000084600000:0x0000000084800000        512   0      33n        0xffffff8035fa4500 0x304fb000        
0xffffff803b24bb40 0x0000000084800000:0x0000000084a00000        512   0      33n        0xffffff8035fa4500 0x306fb000        
0xffffff803b24b910 0x0000000084a00000:0x0000000085400000       2560   0      33n        0xffffff8035fa4500 0x308fb000        
0xffffff803b24b8c0 0x0000000085400000:0x0000000085600000        512   0      33n        0xffffff8035fa4500 0x312fb000        
0xffffff8036b19410 0x0000000085600000:0x0000000085800000        512   0      33n        0xffffff8035fa4500 0x314fb000        
0xffffff803c9b10f0 0x0000000085800000:0x0000000085a00000        512   0      33n        0xffffff8035fa4500 0x316fb000        
0xffffff803621fb40 0x0000000085a00000:0x0000000085c00000        512   0      33n        0xffffff8035fa4500 0x318fb000        
0xffffff803621f690 0x0000000085c00000:0x0000000085e00000        512   0      33n        0xffffff8035fa4500 0x31afb000        
0xffffff80361cbc80 0x0000000085e00000:0x0000000086000000        512   0      33n        0xffffff8035fa4500 0x31cfb000        
0xffffff803621f370 0x0000000086000000:0x0000000086200000        512   0      33n        0xffffff8035fa4500 0x31efb000        
0xffffff803621f6e0 0x0000000086200000:0x0000000086400000        512   0      33n        0xffffff8035fa4500 0x320fb000        
0xffffff803621f0f0 0x0000000086400000:0x0000000086600000        512   0      33n        0xffffff8035fa4500 0x322fb000        
0xffffff8036052d20 0x0000000086600000:0x0000000086800000        512   0      33n        0xffffff8035fa4500 0x324fb000        
0xffffff803b24b9b0 0x0000000086800000:0x0000000086e00000       1536   0      33n        0xffffff8035fa4500 0x326fb000        
0xffffff8037bd0f00 0x0000000086e00000:0x0000000087000000        512   0      33n        0xffffff8035fa4500 0x32cfb000        
0xffffff8037fb1dc0 0x0000000087000000:0x0000000087200000        512   0      33n        0xffffff8035fa4500 0x32efb000        
0xffffff803687b190 0x0000000087200000:0x0000000087400000        512   0      33n        0xffffff8035fa4500 0x330fb000        
0xffffff80390b2f00 0x0000000087400000:0x0000000087600000        512   0      33n        0xffffff8035fa4500 0x332fb000        
0xffffff803621f550 0x0000000087600000:0x0000000087800000        512   0      33n        0xffffff8035fa4500 0x334fb000        
0xffffff803908a0a0 0x0000000087800000:0x0000000087c00000       1024   0      33n        0xffffff8035fa4500 0x336fb000        
0xffffff80375d5820 0x0000000087c00000:0x0000000087e00000        512   0      33n        0xffffff8035fa4500 0x33afb000        
0xffffff8037f0fb90 0x0000000087e00000:0x0000000088000000        512   0      33n        0xffffff8035fa4500 0x33cfb000        
0xffffff803724ddc0 0x0000000088000000:0x0000000088200000        512   0      33n        0xffffff8035fa4500 0x33efb000        
0xffffff803b11ac30 0x0000000088200000:0x0000000088400000        512   0      33n        0xffffff8035fa4500 0x340fb000        
0xffffff8036c39870 0x0000000088400000:0x0000000088600000        512   0      33n        0xffffff8035fa4500 0x342fb000        
0xffffff8038010500 0x0000000088600000:0x0000000088800000        512   0      33n        0xffffff8035fa4500 0x344fb000        
0xffffff8036c390f0 0x0000000088800000:0x0000000088a00000        512   0      33n        0xffffff8035fa4500 0x346fb000        
0xffffff8037c577d0 0x0000000088a00000:0x0000000088c00000        512   0      33n        0xffffff8035fa4500 0x348fb000        
0xffffff80390b2be0 0x0000000088c00000:0x0000000088e00000        512   0      33n        0xffffff8035fa4500 0x34afb000        
0xffffff803908a820 0x0000000088e00000:0x0000000089000000        512   0      33n        0xffffff8035fa4500 0x34cfb000        
0xffffff803b11ac80 0x0000000089000000:0x0000000089200000        512   0      33n        0xffffff8035fa4500 0x34efb000        
0xffffff803b24ba00 0x0000000089200000:0x0000000089400000        512   0      33n        0xffffff8035fa4500 0x350fb000        
0xffffff803621f410 0x0000000089400000:0x0000000089600000        512   0      33n        0xffffff8035fa4500 0x352fb000        
0xffffff803b24ba50 0x0000000089600000:0x0000000089800000        512   0      33n        0xffffff8035fa4500 0x354fb000        
0xffffff8037c57410 0x0000000089800000:0x0000000089a00000        512   0      33n        0xffffff8035fa4500 0x356fb000        
0xffffff8036922280 0x0000000089a00000:0x0000000089c00000        512   0      33n        0xffffff8035fa4500 0x358fb000        
0xffffff803843de10 0x0000000089c00000:0x0000000089e00000        512   0      33n        0xffffff8035fa4500 0x35afb000        
0xffffff803908a730 0x0000000089e00000:0x000000008a000000        512   0      33n        0xffffff8035fa4500 0x35cfb000        
0xffffff8037f42410 0x000000008a000000:0x000000008a200000        512   0      33n        0xffffff8035fa4500 0x35efb000        
0xffffff803cd14a50 0x000000008a200000:0x000000008a400000        512   0      33n        0xffffff8035fa4500 0x360fb000        
0xffffff803a407a00 0x000000008a400000:0x000000008a600000        512   0      33n        0xffffff8035fa4500 0x362fb000        
0xffffff803b24bbe0 0x000000008a600000:0x000000008a800000        512   0      33n        0xffffff8035fa4500 0x364fb000        
0xffffff803908aaa0 0x000000008a800000:0x000000008aa00000        512   0      33n        0xffffff8035fa4500 0x366fb000        
0xffffff803b24b4b0 0x000000008aa00000:0x000000008ac00000        512   0      33n        0xffffff8035fa4500 0x368fb000        
0xffffff80390b2140 0x000000008ac00000:0x000000008ae00000        512   0      33n        0xffffff8035fa4500 0x36afb000        
0xffffff803ad2ba00 0x000000008ae00000:0x000000008b200000       1024   0      33n        0xffffff8035fa4500 0x36cfb000        
0xffffff80390b2820 0x000000008b200000:0x000000008b400000        512   0      33n        0xffffff8035fa4500 0x370fb000        
0xffffff8037cc2280 0x000000008b400000:0x000000008b600000        512   0      33n        0xffffff8035fa4500 0x372fb000        
0xffffff80361cb6e0 0x000000008b600000:0x000000008b800000        512   0      33n        0xffffff8035fa4500 0x374fb000        
0xffffff80390b2af0 0x000000008b800000:0x000000008ba00000        512   0      33n        0xffffff8035fa4500 0x376fb000        
0xffffff803690c1e0 0x000000008ba00000:0x000000008bc00000        512   0      33n        0xffffff8035fa4500 0x378fb000        
0xffffff803680e460 0x000000008bc00000:0x000000008be00000        512   0      33n        0xffffff8035fa4500 0x37afb000        
0xffffff80361cbd20 0x000000008be00000:0x000000008c000000        512   0      33n        0xffffff8035fa4500 0x37cfb000        
0xffffff8036052a50 0x000000008c000000:0x000000008c200000        512   0      33n        0xffffff8035fa4500 0x37efb000        
0xffffff8037ce4c30 0x000000008c200000:0x000000008c400000        512   0      33n        0xffffff8035fa4500 0x380fb000        
0xffffff80360521e0 0x000000008c400000:0x000000008c600000        512   0      33n        0xffffff8035fa4500 0x382fb000        
0xffffff803621f5a0 0x000000008c600000:0x000000008c69b000        155   0      33n        0xffffff8035fa4500 0x384fb000        
------------------ 0x000000008c69b000:0x00000000c4192000     228087
0xffffff80360526e0 0x00000000c4192000:0x00000000d1300000      53614   0      11n        0xffffff8035fa4500 0x38596000        
------------------ 0x00000000d1300000:0x00000000ffe00000     191232

The address we are looking for is backed by a vm_object 0xffffff8035fa4500. Let's print it out.
(lldb) p *(vm_object_t)0xffffff8035fa4500
(vm_object) $49 = {
  memq = (next = 47704340, prev = 47704340)
  Lock = {
     = {
      lck_rw_shared_count = 0
      lck_rw_interlock = '\0'
      lck_rw_priv_excl = '\x01'
      lck_rw_want_upgrade = '\0'
      lck_rw_want_write = '\0'
      lck_r_waiting = '\0'
      lck_w_waiting = '\0'
      lck_rw_can_sleep = '\x01'
      lck_rw_padb6 = '\0'
      lck_rw_tag = 0
      lck_rw_owner = 0x0000000000000000
    }
     = (data = 553648128, lck_rw_pad4 = 0, lck_rw_pad8 = 0, lck_rw_pad12 = 0)
  }
  Lock_owner = 0x0000000000000000
  vo_un1 = (vou_size = 1164984320, vou_cache_pages_to_scan = 1164984320)
  memq_hint = 0x0000000000000000
  ref_count = 4877
  resident_page_count = 0
  wired_page_count = 0
  reusable_page_count = 0
  copy = 0x0000000000000000
  shadow = 0xffffff8035fa4300
  vo_un2 = {
    vou_shadow_offset = 0
    vou_cache_ts = 0
    vou_purgeable_owner = 0x0000000000000000
    vou_slide_info = 0x0000000000000000
  }
  pager = 0x0000000000000000
  paging_offset = 0
  pager_control = 0x0000000000000000
  copy_strategy = 4
  paging_in_progress = 0
  __object1_unused_bits = 0
  activity_in_progress = 0
  all_wanted = 0
  pager_created = 0
  pager_initialized = 0
  pager_ready = 0
  pager_trusted = 0
  can_persist = 0
  internal = 1
  private = 0
  pageout = 0
  alive = 1
  purgable = 3
  purgeable_only_by_kernel = 0
  purgeable_when_ripe = 0
  shadowed = 1
  true_share = 0
  terminating = 0
  named = 0
  shadow_severed = 0
  phys_contiguous = 0
  nophyscache = 0
  _object5_unused_bits = 0
  cached_list = {
    next = 0x0000000000000000
    prev = 0x0000000000000000
  }
  last_alloc = 0
  sequential = 0
  pages_created = 0
  pages_used = 0
  cow_hint = 0xffffffffffffffff
  wimg_bits = 128
  code_signed = 0
  transposed = 0
  mapping_in_progress = 0
  phantom_isssd = 0
  volatile_empty = 0
  volatile_fault = 0
  all_reusable = 0
  blocked_access = 0
  set_cache_attr = 0
  object_slid = 0
  purgeable_queue_type = 3
  purgeable_queue_group = 0
  io_tracking = 0
  no_tag_update = 0
  __object3_unused_bits = 0
  __object2_unused_bits = 0
  scan_collisions = '\0'
  wire_tag = 0
  __object4_unused_bits = ([0] = '\0', [1] = '\0')
  phantom_object_id = 0
  uplq = {
    next = 0xffffff8035fa45c0
    prev = 0xffffff8035fa45c0
  }
  objq = {
    next = 0x0000000000000000
    prev = 0x0000000000000000
  }
  task_objq = {
    next = 0x0000000000000000
    prev = 0x0000000000000000
  }
}
The pager is NULL and this object in turn is backed by a shadow object 0xffffff8035fa4300. Switch to this object.
(lldb) p *(vm_object_t)0xffffff8035fa4300
(vm_object) $50 = {
  memq = (next = 2148243131, prev = 2148236198)
  Lock = {
     = {
      lck_rw_shared_count = 0
      lck_rw_interlock = '\0'
      lck_rw_priv_excl = '\x01'
      lck_rw_want_upgrade = '\0'
      lck_rw_want_write = '\0'
      lck_r_waiting = '\0'
      lck_w_waiting = '\0'
      lck_rw_can_sleep = '\x01'
      lck_rw_padb6 = '\0'
      lck_rw_tag = 0
      lck_rw_owner = 0x0000000000000000
    }
     = (data = 553648128, lck_rw_pad4 = 0, lck_rw_pad8 = 0, lck_rw_pad12 = 0)
  }
  Lock_owner = 0x0000000000000000
  vo_un1 = (vou_size = 0, vou_cache_pages_to_scan = 0)
  memq_hint = 0xffffff80301495d0
  ref_count = 3
  resident_page_count = 116984
  wired_page_count = 0
  reusable_page_count = 0
  copy = 0xffffff8035fa4500
  shadow = 0x0000000000000000
  vo_un2 = {
    vou_shadow_offset = 18446743524858593968
    vou_cache_ts = 18446743524858593968
    vou_purgeable_owner = 0xffffff8035ef02b0
    vou_slide_info = 0xffffff8035ef02b0
  }
  pager = 0xffffff8035f3b8c0
  paging_offset = 0
  pager_control = 0xffffff80359d65a0
  copy_strategy = 2
  paging_in_progress = 0
  __object1_unused_bits = 0
  activity_in_progress = 0
  all_wanted = 0
  pager_created = 1
  pager_initialized = 1
  pager_ready = 1
  pager_trusted = 0
  can_persist = 1
  internal = 0
  private = 0
  pageout = 0
  alive = 1
  purgable = 3
  purgeable_only_by_kernel = 0
  purgeable_when_ripe = 0
  shadowed = 0
  true_share = 0
  terminating = 0
  named = 1
  shadow_severed = 0
  phys_contiguous = 0
  nophyscache = 0
  _object5_unused_bits = 0
  cached_list = {
    next = 0x0000000000000000
    prev = 0x0000000000000000
  }
  last_alloc = 836317184
  sequential = 0
  pages_created = 123988
  pages_used = 50061
  cow_hint = 0xffffffffffffffff
  wimg_bits = 128
  code_signed = 1
  transposed = 0
  mapping_in_progress = 0
  phantom_isssd = 0
  volatile_empty = 0
  volatile_fault = 0
  all_reusable = 0
  blocked_access = 0
  set_cache_attr = 0
  object_slid = 1
  purgeable_queue_type = 3
  purgeable_queue_group = 0
  io_tracking = 0
  no_tag_update = 0
  __object3_unused_bits = 0
  __object2_unused_bits = 0
  scan_collisions = '\0'
  wire_tag = 0
  __object4_unused_bits = ([0] = '\0', [1] = '\0')
  phantom_object_id = 5
  uplq = {
    next = 0xffffff8035fa43c0
    prev = 0xffffff8035fa43c0
  }
  objq = {
    next = 0x0000000000000000
    prev = 0x0000000000000000
  }
  task_objq = {
    next = 0x0000000000000000
    prev = 0x0000000000000000
  }
}
Now we have a valid pager. Let's inspect it.
(lldb) p *(memory_object_t)0xffffff8035f3b8c0
(memory_object) $51 = {
  mo_ikot = 11
  mo_pager_ops = 0xffffff80298cae70
  mo_control = 0xffffff80359d65a0
}
(lldb) p *((memory_object_t)0xffffff8035f3b8c0)->mo_pager_ops
(const memory_object_pager_ops) $52 = {
  memory_object_reference = 0xffffff8028dfcc10 (kernel.development`vnode_pager_reference at bsd_vm.c:648)
  memory_object_deallocate = 0xffffff8028dfcc80 (kernel.development`vnode_pager_deallocate at bsd_vm.c:663)
  memory_object_init = 0xffffff8028dfccf0 (kernel.development`vnode_pager_init at bsd_vm.c:402)
  memory_object_terminate = 0xffffff8028dfcd90 (kernel.development`vnode_pager_terminate at bsd_vm.c:688)
  memory_object_data_request = 0xffffff8028dfcda0 (kernel.development`vnode_pager_data_request at bsd_vm.c:620)
  memory_object_data_return = 0xffffff8028dfce70 (kernel.development`vnode_pager_data_return at bsd_vm.c:449)
  memory_object_data_initialize = 0xffffff8028dfcef0 (kernel.development`vnode_pager_data_initialize at bsd_vm.c:464)
  memory_object_data_unlock = 0xffffff8028dfcf10 (kernel.development`vnode_pager_data_unlock at bsd_vm.c:475)
  memory_object_synchronize = 0xffffff8028dfcf20 (kernel.development`vnode_pager_synchronize at bsd_vm.c:703)
  memory_object_map = 0xffffff8028dfcf40 (kernel.development`vnode_pager_map at bsd_vm.c:715)
  memory_object_last_unmap = 0xffffff8028dfcf90 (kernel.development`vnode_pager_last_unmap at bsd_vm.c:738)
  memory_object_data_reclaim = 0x0000000000000000
  memory_object_pager_name = 0xffffff8029515488 "vnode pager"
}
(lldb) p *((memory_object_t)0xffffff8035f3b8c0)->mo_control
(memory_object_control) $53 = {
  moc_ikot = 32
  moc_object = 0xffffff8035fa4300
}
This is a vnode_pager object. Now we cast the pager to vnode_pager type.
(lldb) p *(vnode_pager*)0xffffff8035f3b8c0
(vnode_pager) $55 = {
  vn_pgr_hdr = {
    mo_ikot = 11
    mo_pager_ops = 0xffffff80298cae70
    mo_control = 0xffffff80359d65a0
  }
  ref_count = 1
  vnode_handle = 0xffffff8035f112e8
}
Then print the vnode path.
(lldb) showvnodepath 0xffffff8035f112e8
/private/var/db/dyld/dyld_shared_cache_x86_64
As it was expected this is actually a vnode for a prelinked shared libraries cache file.

Sunday, January 14, 2018

A list of default macOS MAC policies

A list of default macOS MAC policies
(lldb) p mac_policy_list.entries[0].mpc
(mac_policy_conf *) $90 = 0xffffff7f823db4b8
(lldb) p *mac_policy_list.entries[0].mpc
(mac_policy_conf) $91 = {
  mpc_name = 0xffffff7f823d7f13 "AMFI"
  mpc_fullname = 0xffffff7f823d7f18 "Apple Mobile File Integrity"
  mpc_labelnames = 0xffffff7f823da6d0
  mpc_labelname_count = 1
  mpc_ops = 0xffffff7f823daa40
  mpc_loadtime_flags = 0
  mpc_field_off = 0xffffff7f823da9a0
  mpc_runtime_flags = 1
  mpc_list = 0x0000000000000000
  mpc_data = 0x0000000000000000
}
(lldb) p *mac_policy_list.entries[1].mpc
(mac_policy_conf) $92 = {
  mpc_name = 0xffffff7f82bda2fd "Sandbox"
  mpc_fullname = 0xffffff7f82bda53a "Seatbelt sandbox policy"
  mpc_labelnames = 0xffffff7f82be0110
  mpc_labelname_count = 1
  mpc_ops = 0xffffff7f82be0118
  mpc_loadtime_flags = 0
  mpc_field_off = 0xffffff7f82be1378
  mpc_runtime_flags = 1
  mpc_list = 0x0000000000000000
  mpc_data = 0x0000000000000000
}
(lldb) p *mac_policy_list.entries[2].mpc
(mac_policy_conf) $93 = {
  mpc_name = 0xffffff7f83d73fd4 "TMSafetyNet"
  mpc_fullname = 0xffffff7f83d73fe0 "Safety net for Time Machine"
  mpc_labelnames = 0xffffff7f83d74060
  mpc_labelname_count = 1
  mpc_ops = 0xffffff7f83d74068
  mpc_loadtime_flags = 2
  mpc_field_off = 0xffffff7f83d74be8
  mpc_runtime_flags = 1
  mpc_list = 0x0000000000000000
  mpc_data = 0x0000000000000000
}
(lldb) p *mac_policy_list.entries[3].mpc
(mac_policy_conf) $94 = {
  mpc_name = 0xffffff7f84159c06 "Quarantine"
  mpc_fullname = 0xffffff7f84159c7c "Quarantine policy"
  mpc_labelnames = 0xffffff7f8415a160
  mpc_labelname_count = 1
  mpc_ops = 0xffffff7f8415a168
  mpc_loadtime_flags = 0
  mpc_field_off = 0xffffff7f8415acfc
  mpc_runtime_flags = 1
  mpc_list = 0x0000000000000000
  mpc_data = 0x0000000000000000
}