I'm using the ES framework to control files created by handling the event ES_EVENT_TYPE_AUTH_CREATE, but when a file is created by replacing the same name file, ES_EVENT_TYPE_AUTH_CREATE won't be reported.
I've searched and tried the event ES_EVENT_TYPE_AUTH_EXCHANGEDATA, but it didn't work. Which event should I monitor for 'creating a file' by replacing a file with the same name?
I'm using the ES framework to control files created by handling the event ES_EVENT_TYPE_AUTH_CREATE, but when a file is created by replacing the same name file, ES_EVENT_TYPE_AUTH_CREATE won't be reported.
I've searched and tried the event ES_EVENT_TYPE_AUTH_EXCHANGEDATA, but it didn't work.
Which event should I monitor for 'creating a file' by replacing a file with the same name?
In the context of UNIX "rename" is the basic "move" syscall, so this is handled by "ES_EVENT_TYPE_AUTH_RENAME".
One oddity to clarify here- "ES_EVENT_TYPE_AUTH_EXCHANGEDATA" actually maps to it's own syscall, namely "exchangedata". On HFS+, that syscall was the preferred syscall use to implement "safe safe" semantics (atomically exchanging the content of two files). It's likely that you'll still see it in used on HFS+ volumes and you may see in other context (probably AFP, possibly some SMB configuration). When we implemented APFS, we "merged" it's core functionality into "rename" by introducing "renamex_np" and the "RENAME_SWAP"/"RENAME_EXCL" flags. See the man page for "rename" for more details on this.
In any case, it's worth being aware that the same ES_EVENT_TYPE_AUTH_RENAME event can have VERY different behavior, even though your ES client can't differentiate between them.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware
