Get callback on create new file with data

I would like to get notification about copying file operation when the target file is being closed using kauth based kernel extension that using fileop scope callback.


I don't mind about the first operation involved in the file copying which is opening the source file and reading from it, but detect the new target file creation after it was filled with data, disregarding the nature of the source file (so I'll be able to read it for further analysis)


According to my observation, it may possible to achieve this by monitoring the last action on the target file which is 

KAUTH_FILEOP_CLOSE
. but this action alone may cause a lot of other scenarios such as file close for after reading, and I only care if the file has new data.


I would expect to get the in addition the 

KAUTH_FILEOP_CLOSE_MODIFIED
flag and it's ain't there unless the target file is new file (not copying to an existing file).

Perhaps it's yet another bug with Kauth. Any Other ideas how to detect the new file after it filled with data ?


thanks

Up vote post of rrr1981 Down vote post of rrr1981
1k views
Posted by
rrr1981
Reply
Add a Comment

Replies

I hate to be the bearer of bad news but it’s simply not possible to infer high-level semantics (this file was copied) from the low-level operations visible in Kauth.

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Hi and Thanks for the reply.


I understand that the copy command cannot be traced by fileop scope as it contain 2 lower layer operations (read from source file and write to target file)


However, I would have expect that the target file close callback will be set with the additional KAUTH_FILEOP_CLOSE_MODIFIED flag so that i can detect that new file created with data, or old file modified its data.


any ideas why i'm not getting the additional flag ?


thanks

Posted by
rrr1981
Up vote reply of rrr1981 Down vote reply of rrr1981
Add a Comment

any ideas why i'm not getting the additional flag ?

No, but there’s a long history of 

KAUTH_FILEOP_CLOSE_MODIFIED
being less than reliable (for example, it’s never been set when the file was modifying via a read/write memory mapping).

Do you see different behaviour on HFS Plus vs APFS?

Share and Enjoy

Quinn “The Eskimo!”
Apple Developer Relations, Developer Technical Support, Core OS/Hardware 

let myEmail = "eskimo" + "1" + "@apple.com"
Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment