How to get the new created vnode since kauth_listen_scope is invalid now

I'm finding a way to hook vnode operations, following is a snippet of the code:

IOReturn
FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void)
{    
    //
    // register our listener
    //
    this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE,                              // for the vnode scope
                                              FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback
                                              this );                                         // give a cookie to callback
    
    if( NULL == this->VnodeListener ){
        
        DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) );
        return kIOReturnInternalError;
        
    }
    
    return kIOReturnSuccess;
}

Here use kauth_listen_scope to get the newly created vnode object, then will hook on it.

But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity.

So is there any other way to get the newly created vnode object?

Answered by DTS Engineer in 784930022

do you think it's a good idea to borrow from the implementation of Linux 3rd file system FUSE?

If I were to port Linux FUSE to VFS, what would be the biggest challenges and differences?

I don’t have any opinions on these because I don’t have any direct experience with the Linux VFS abstraction. Sorry.

If I were in your shoes I’d find a better project to work on (-: Or, if you have to build this, come up with a way to work within macOS’s constraints. A VFS plug-in is unlikely to yield a reliable long-term product.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

there is no way to get the vnode by using Endpoint Security

Right. Because ES clients run outside of the kernel.

Kauth was never intended to be a mechanism for ‘hooking’ vnode operations. In fact, I’m not sure what you mean by “hook vnode operations” in this context. What does that mean exactly?

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

I am developing a file encryption and decryption software on Mac. The main function of this software is to set up a special folder, and all files in this folder will be automatically decrypted when opened. After the files are copied out of this folder, the files need to remain encrypted. I achieve such a folder by mounting a MacFUSE-based file system.

But after I copied the file out of the special folder, I found that the copied content was plain text. I think this may be caused by the cache of the Mac system. In order to prevent the decrypted content from being copied, I wanted to hook the vnode write operation and replace the copied decrypted content with the encrypted content.

I borrowed the method from this link MacOSX-FileSystem-Filter to hook the read and write operations of vnode. The core idea of ​​this hook method is,

      // assumtion is - the  vnode layout is as follows
      // <some fields that are irrelevant for us>
     // int (**v_op)(void *);		/* vnode operations vector */
    // mount_t v_mount;			    /* ptr to vfs we are in */
   // void *	v_data;				/* private data for fs */

So after I got the vnode object from Kauth, then do some pointer movement to replace the vnode operations vector int (**v_op)(void *); , thus I can hook the vnode operations.

I’m sorry but I can’t help you with this. This is not an intended use case for Kauth. Moreover, and we have no supported path for developing filter file systems [1]. In the long term I hope that we’ll see custom file system support move out of the kernel but, right now, I think your best option is to explore the File Provider space.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

[1] Quoting QA1242 Developing for VFS:

Apple does not support the development of stacking VFS plug-ins on Mac OS X

AFAIK this hasn’t changed.

Thanks for your reply, there is really rare document about it.
File Provider is not enough to meet my requirement. To develop a kernel/user hybrid file system maybe a good way, at least I have the full control of my file system. It's really painful to do VFS development on macOS :(

It's really painful to do VFS development on macOS :(

You haven’t yet begun to feel the pain )-:

At the time I wrote QA1242 I was still (vaguely) optimistic that things would improve on the VFS plug-in front. Almost twenty years later, it’s clear that my optimism was unfounded:

  • KEXT loading is much more difficult than it used to be.

  • The VFS KPI hasn’t evolved, meaning that a lot of modern stuff just can’t be done in a VFS plug-in.

  • Apple has made it clear that we’re transitioning away from KEXTs sooner rather than later, which means that, at best, there’s a significant transition ahead of you.

I found the sample code 'EmptyFS' & 'MFSLives' [links] are invalid in [QA1242]

Indeed. Those samples, like QA1242 itself, are in the Documentation Archive.

ps To be clear, I no longer support VFS plug-ins for DTS. Another member of the team now has that privilege.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks for your detailed reply @eskimo . Now I'm finding a way to begin the adventurous and exciting journe of VFS development. Since there is rare document about VFS, do you think it's a good idea to borrow from the implementation of Linux 3rd file system FUSE?

If I were to port Linux FUSE to VFS, what would be the biggest challenges and differences?

Accepted Answer

do you think it's a good idea to borrow from the implementation of Linux 3rd file system FUSE?

If I were to port Linux FUSE to VFS, what would be the biggest challenges and differences?

I don’t have any opinions on these because I don’t have any direct experience with the Linux VFS abstraction. Sorry.

If I were in your shoes I’d find a better project to work on (-: Or, if you have to build this, come up with a way to work within macOS’s constraints. A VFS plug-in is unlikely to yield a reliable long-term product.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Thanks eskimo, hope the day Apple supports the function like file filter will come soon...

How to get the new created vnode since kauth_listen_scope is invalid now
 
 
Q