Hi,
I am using Kauth KAUTH_VNODE_WRITE_DATA to perform validations before a file is opened.
However, in case of smb shares the file is already truncated by the time I try to access it during vnode authorization callback when overwriting with O_TRUNC.
I can reproduce the issue using cp or creating a simple program that uses open(..., O_TRUNC) call on the smbfs destination path.
Looking at smbfs source code (https://opensource.apple.com/source/smb/smb-759.40.1/kernel/smbfs/smbfs_vnops.c)
Although I might be wrong, it seems that at least in one of the places the authorizer is called after open
authorizer is called at line
1725 error = ap->a_open_existing_authorizer(vp, cnp, fmode, context, NULL);
the file however was already opened at (not sure if truncation is handled here)
1701 error = smbfs_create_open(share, dvp, cnp, vap, open_disp, fmode, &fid, fap, &vp, context);
Has anyone seen similar issue? Is this behavior by design or is it a bug?
I am using 10.10.5/10.11.6 for testing.