I need to read files extended attributes from kext. I looked at kernel api, but I didn't find any method to do that.
Is there any possibility to read the file extended attributes from kext, preferably starting from the file vnode?
It's no longer part of Apple's official public KPI, but the com.apple.kpi.dsep bundle exports not one but two sets of APIs for reading & writing xattrs.
In <bsd/sys/vnode_if.h>:
extern errno_t VNOP_SETXATTR(vnode_t vp, const char *name, uio_t uio, int options, vfs_context_t ctx);
extern errno_t VNOP_GETXATTR(vnode_t vp, const char *name, uio_t uio, size_t *size, int options, vfs_context_t ctx);
These (obviously) use the uio buffer mechanism, which can be a bit awkward; alternatively, there's also:
int mac_vnop_setxattr(struct vnode *, const char *, char *, size_t);
int mac_vnop_getxattr(struct vnode *, const char *, char *, size_t,
size_t *);
int mac_vnop_removexattr(struct vnode *, const char *);
These are declared in <security/mac_policy.h> which has sadly been removed from the Kernel.framework of the macOS 10.13 SDK. The functions still exist, and the header file is still part of the xnu source distribution. It was also in at least the 10.5-10.12 SDKs. Calling the functions on 10.13 from a kext built with a 10.12 or earlier SDK works just fine, although as I mentioned, Apple doesn't officially support it.
If you do use these APIs, it's worth filing a radar with Apple to request they be returned to the public interface, indicating that you need these functions and why. The more of us that do this, the less likely they are to finally remove them.