How to determine if process has root privileges in a network kernel extension?

Question

I'm writing a socket filter kext and I would want to ignore any connections made as root. Before OS X Lion, the following code worked flawlessly:

static boolean_t is_root() {
    proc_t p = proc_self();
    boolean_t isRoot = proc_suser(p);
    proc_rele(p);
    return isRoot;
}

But now with Lion and Mountain Lion, the is_root() function always returns true. In Snow Leopard, it worked as I imagined it would.

Here's an example of how I tested the function inside a socket filter event handler:

int debugPid = proc_selfpid();
if (is_root()) {
    printf("%u (root)\n", debugPid);
} else {
    printf("%u (user)\n", debugPid);
}

But the output always says "root", for example:

2012-11-15 3:48:00.000 PM kernel[0]: 29879 (root)

Where the app making the connection is Twitter (confirmed through the PID). Twitter runs with regular user privileges, not root.

Is there a better/correct way to determine if the process behind the socket connection has root privileges?

Answer 1

According the bsd/sys/proc.h (link):

/* this routine returns error if the process is not one with super user privileges */
int proc_suser(proc_t p);

So a return of 0 means the process has root privileges or non-zero otherwise.

You want:

static boolean_t is_root() {
    proc_t p = proc_self();
    int error = proc_suser(p);
    proc_rele(p);
    return error == 0;
}