You're right that monitoring mmap/mprotect would only let me know if it's possible for it to happen--there's no way to know that it has happened. But, from what I've seen, I think it will probably be more reliable than was_mapped_writable.
So, unfortunately, I'd probably have to poll the file for changes 😞. I do notice the Date Last Modified does change--I haven't figured out if there's something that triggers it or not (eg msync). Would that be a reasonable thing to poll?
RedMercury
Users receive reputation points by contributing quality content to the forums.
Posts include post and replies published on the forums.
Post authors can mark replies as Accepted to indicate successful solutions.
Apple Developer Forums admins can mark replies as Apple Recommended to indicate an approved solution
User for
Post
Replies
Boosts
Views
Activity
Ah. That makes sense. So I'll need to track mmap and mprotect if I want to be somewhat certain that a file changed.