Post

Replies

Boosts

Views

Activity

Reply to extract file system type from es_event_mount_t
Thank you for response! Looks like the only way of getting fs type is to analyse string values. (kDADiskDescriptionVolumeKindKey is string too) What are you actually trying to do? Monitoring new mounts but first of all app must enumerate mounted volumes. I am enumerate all mounts by getmntinfo_r_np() and it returns devfs which must be skipped.
Topic: App & System Services SubTopic: Core OS Tags:
Feb ’25
Reply to st_dev of mount point directory is different to device ID of device-file
In my case, stat struct is provided by Endpoint Security message. Looks like, the best solution is to use DiskArbitration framework. DiskArbitration can be used to find relationship between mount point (DAVolumePath) and physical device (DADiskGetBSDName). If st_dev and st_rdev are identical for any objects located on the same filesystem, the mount point directory has the same st_dev and st_rdev to. So, bsdName can be found for any objects. And finally a device can be found in I/O Registry by bsdName. Thank you a lot for detailed answer!!!
Topic: App & System Services SubTopic: Core OS Tags:
Jan ’25
Reply to st_dev of mount point directory is different to device ID of device-file
Hello, I am sorry for delay with answer? (Christmas and few weeks holidays). The volume is mounted with read only permission by default driver. Can you share it's entry from the volume list when you run "mount" in Terminal? That might provide more detail about what's actually going on. # df /dev/disk4s1 Filesystem 512-blocks Used Available Capacity iused ifree %iused Mounted on /dev/disk4s1 30715832 93776 30622056 1% 1 0 100% /Volumes/CCCOMA_X64FRE_RU-RU_DV9 # mount | grep disk4s1 /dev/disk4s1 on /Volumes/CCCOMA_X64FRE_RU-RU_DV9 (ntfs, local, nodev, nosuid, read-only, noowners, noatime, fskit) That is, the values of st_dev and st_rdev will be identical for any objects located on the same filesystem. Thank you a lot for this confirmation! I can implement my task based on this info. Thank you a lot for you help!
Topic: App & System Services SubTopic: Core OS Tags:
Jan ’25
Reply to How to find relationship between logged-in users and processes?
Thank you for replay! I am afraid PID is not what I need. I need to find logged user which associated with process. I found the following description of audit user (non-official docs): Audit User ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john). Is it true for macOS? Thank you for your help!
Topic: App & System Services SubTopic: Core OS Tags:
Dec ’24
Reply to intercept network traffic via NETransparentProxyProvider
The application is using KEXT (Socket Filters) to intercept the traffic. I am looking for the way to implement new solution which is based on Network Extension. However, I have not found any obviously way how to intercept the outgoing traffic and have a possibility to modify it. Is it possible? If yes, what is the best practices? What is the simplest way to implement it? Thank you in advance.
Aug ’24