I have NTFS which is mounted on '/Volumes/usb_vol'
#mount
Filesystem Mounted on
/dev/disk5s1 /Volumes/usb_vol
The following simple code reports different values of device Id for device-file and mount point directory
struct stat buf;
for (int i = 1; i < argc; i++)
{
std::cout << argv[i] << std::endl;
if (stat(argv[i], &buf) < 0)
{
continue;
}
if (S_ISBLK(buf.st_mode))
{
std::cout << "st_rdev (" << major(buf.st_rdev) << "/" << minor(buf.st_rdev) << ") hex: " << std::hex << buf.st_rdev << std::endl;
}
else
{
std::cout << "st_dev (" << major(buf.st_dev) << "/" << minor(buf.st_dev) << ") hex: " << std::hex << buf.st_dev << std::endl;
}
}
Output:
/dev/disk5s1
st_rdev (1/22) hex: 1000016
/Volumes/usb_vol
st_dev (48/119) hex: 30000077
I believe this is expected but I have not found any explanation of this behaviour.
Are there any explanation of difference these values?
I can assume the stat() will report (48/119) for all objects which are located on this file system. Is it correct?
Thank you for the help!
Post
Replies
Boosts
Views
Activity
Hello,
Let's say I have several opened user sessions in parallel.
Endpoint Security notify about executing a process (ES_EVENT_TYPE_NOTIFY_EXEC) and provide audit token.
The goal is to find relationship between logged-in users and new process.
Can I use audit user ID for this?
Thank you in advance.
The kernel sends SIGKILL to application if it handles ES_EVENT_TYPE_AUTH_OPEN and lldb is attached to this process.
App:
int main(int /*argc*/, char** /*argv*/)
{
es_client_t *pEpClient = nullptr;
es_new_client_result_t result = es_new_client(&pEpClient, ^(es_client_t *pClient, const es_message_t *pMessage)
{
switch (pMessage->event_type)
{
case ES_EVENT_TYPE_AUTH_OPEN:
{
uint32_t authorizedFlags = pMessage->event.open.fflag;
if ((authorizedFlags & FREAD) || (authorizedFlags & FWRITE))
{
std::filesystem::path filePath = std::string(pMessage->event.open.file->path.data, pMessage->event.open.file->path.length);
std::string fileName = filePath.filename();
if (fileName == "test.txt")
{
std::cout << "blocked fileName: " << filePath.filename() << std::endl;
authorizedFlags &= ~FWRITE;
authorizedFlags &= ~FREAD;
}
}
if (es_respond_flags_result(pClient, pMessage, authorizedFlags, false) != ES_RESPOND_RESULT_SUCCESS)
{
std::cout << "es_respond_flags_result() failed with error " << std::endl;
}
}
break;
default:
break;
}
});
if (result != ES_NEW_CLIENT_RESULT_SUCCESS)
{
std::cout << "es_new_client() failed." << std::endl;
return 1;
}
es_event_type_t eventsList[] =
{
ES_EVENT_TYPE_AUTH_OPEN
};
if (es_subscribe(pEpClient, eventsList, 1) == ES_RETURN_ERROR)
{
std::cout << "es_subscribe() failed." << std::endl;
}
// wait
int i = 0;
std::cin >> i;
if (es_delete_client(pEpClient) == ES_RETURN_ERROR)
{
std::cout << "es_delete_client() failed." << std::endl;
}
return 0;
}
(lldb) process attach --pid 61127
....
(lldb) c
Process 61127 resuming
Process 61127 exited with status = 9 (0x00000009) Terminated due to signal 9
System log:
Allowing set_exception_ports from [debugserver] on [ep_sample] for entitled process/debugger
Client did not respond in appropriate amount of time (client pid: 61127), sent SIGKILL
The scenario is quite simple
run an application which uses [SCShareableContent getShareableContentExcludingDesktopWindows] and invoke captureImageWithFilter in completionHandler.
delay invoking captureImageWithFilter for several seconds and switch user session before call it.
The WindowServer crashes if app runs in inactive session.
How to manage this issue correctly? Are there any way to avoid this crash?
I need to intercept traffic (by port range) and need to have ability to modify it. If I understand correctly, the best way is to use NETransparentProxyProvider for this purpose. Is my understanding correct?
I am trying to figure out how to make system extension (NETransparentProxyProvider) intercept the traffic.
Unfortunately I have not found any description or example (similar to Network Filter).
I am novice in Network Extension. Are there any guide, example or quick start how to implement app proxy?
Thank you!
Hello,
I need to monitor input events and convert keycode to symbol. E.g. convert kHIDUsage_KeyboardQ to symbol according to used keyboard layout.
Are there any API to get current keyboard layout (language) in C++? If I understand correctly, the API TISGetInputSourceProperty() is deprecated.
Are there any way to monitor keyboard layout changed? (some system notification in case of keyboard layout change)
Are there any way to translate keycode to symbol except UCKeyTranslate() which is part of deprecated Unicode Utilities?
Thank you in advance.