I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client.
I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call.
If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?
I'm a bit confuse on the file permission between root and admin account.
I'm developing the background user agent process, and I created the agent plist file with the permission R&W for my admin account.
When I tried to load my agent process with launchd, it said the plist file permission is not right. Only after I change the plist file owner to root chown root my.plist, did everything work.
From the above situation, it seems that the root user cannot access files that are only authorized to the admin user.
Admin account also can't access files authorized only to root, unless you add sudo or enter the password when the request admin password box pops up. But by sudo or password, it just temporarily converts your account from admin to root account.
So am I right in my speculation?
I'm finding a way to hook vnode operations, following is a snippet of the code:
IOReturn
FltIOKitKAuthVnodeGate::RegisterVnodeScopeCallback(void)
{
//
// register our listener
//
this->VnodeListener = kauth_listen_scope( KAUTH_SCOPE_VNODE, // for the vnode scope
FltIOKitKAuthVnodeGate::VnodeAuthorizeCallback, // using this callback
this ); // give a cookie to callback
if( NULL == this->VnodeListener ){
DBG_PRINT_ERROR( ( "kauth_listen_scope failed\n" ) );
return kIOReturnInternalError;
}
return kIOReturnSuccess;
}
Here use kauth_listen_scope to get the newly created vnode object, then will hook on it.
But now kauth_listen_scope is deprecated, and there is no way to get the vnode by using EndpointSecurity.
So is there any other way to get the newly created vnode object?
Post not yet marked as solved
I'm currently trying to develop a transparent data encryption(TDE) system on MacOS 12.6.8. Our company has its own file encryption format. In order to facilitate safe and convenient file transfer between Windows and Mac platforms, we need to develop a TDE system on the Mac platform (on the Windows platform, we have developed such a system based on the Minifilter framework).
I tried to implement this system using a MacFuse based file system and the Endpoint Security system extension, but found that this did not allow complete control of files on the Mac system. For example, when you use Finder to copy an encrypted file, the decrypted data will be copied out. I'm guessing this might be due to Finder or some other system process cache.
By referring to the current product introductions of other companies, I learned that the current TDE systems on Mac systems are all based on kernel extension. But I noticed that Apple no longer encourages kernel extension development, and the Mac kernel has fewer and fewer APIs open to development.
So I would like to ask is it still feasible to develop a TDE system based on the kernel extension?
Post not yet marked as solved
I'm developing a encrypte&decrypt filesystem on Mac. I use MacFuse to realize this filesystem and mount it under a folder.
By doing this I can hook the open file method when user are trying to open the encrypted file(such as A.rtf) under the mounted folder. Then I will decrypt A.rtf and generate a new decrypted file, let's call it as B.rtf. In the hooked open file method, I will return B.rtf file descriptor so that the user can open the decrypted file.
All works fine, until I opend the encrypted file once and copy it. It seems Mac system directly using the decrypted cache data when doing copy, so the decrypted content will be copied.
I tried add fcntl(fd, F_NOCACHE, 1); fcntl(fd, F_NODIRECT, 1) after int fd = open([p UTF8String], mode);, but it not work.
So is there a way to clearly tell the Mac system, do not cache my data when open files?
I'm developing an APP on Mac. There will be some template sensitive file be decrypte during the user using it.
I don't want my client see these files by Finder or Terminal, so I tried to mount a file system and store the decrypted folder under the filessystem, then don't return the contents of decrypted folder when filesystem call contentsOfDirectory. It works under my filesystem.
But when user directly access these files by Finder(not from my filesystem mounted path), the files are still here can be seen by the user.
Is there anyway to make my files hide from Finder? Such as Finder extension, or some special folder Mac offered to store these sensitive files?
Ere0n.