3

I have a piece of software that works on Windows. The software has two components: file system minifilter driver that works in kernel mode and a user mode component that talks to the driver. Driver receives notifications on IO interrupt requests, such as IRP_MJ_READ. A sample application that does this can be found on github. This works for any user and most file systems supported by Windows.

I need to develop similar piece of software for OS X (desktop and server only). Things I looked at:

My reservations are: FSEvents may not be very performant, as I need to monitor root / folder and any mounted devices. I have very limited understanding of kernel queues and syscalls API hijacking may make it very hard to port to different OS X versions and can cause conflicts with AV or OS protection (such as PaX hardening).

Question: how can I get notifications that a file in any (recursive) folder in root / is being read by any user on OS X?

oleksii
  • 35,458
  • 16
  • 93
  • 163
  • another question for you: do you intend for your app to be sandboxed or available on the Mac app store? – Michael Dautermann Nov 05 '15 at 11:29
  • Not sure, whatever's easier and whatever will allow me to do this. I think AVs are available through the store and sandboxing probably won't allow me to do things I need to do. – oleksii Nov 05 '15 at 11:31

2 Answers2

4

With a kernel extension, Kernel Authorization provides the File Operation Scope, allowing you to monitor the KAUTH_FILEOP_OPENaction for all vnodes.

The KAUTH_FILEOP_OPENaction will be called before access to all files, thus allowing you to monitor file access.

If you want more granularity of actions, the VNode scope provides a larger set of actions, including KAUTH_VNODE_READ_DATA, but be aware that this scope can be very noisy, triggering a very large number of actions at any one time.

Example code for such a kernel extension can be found in Singh's Mac OS X Internals

TheDarkKnight
  • 27,181
  • 6
  • 55
  • 85
1

There's nothing wrong with the performance of FSEvents; if you use Spotlight and/or Time Machine, it's already running on your system. I'd be very surprised if there was a more efficient way to reimplement it from scratch. So if it meets your requirements in every other way, I'd go with that.

pmdj
  • 22,018
  • 3
  • 52
  • 103
  • FSEvents does not provide me with Process Id (or process name) and User security identifier (or user name). Example I am after is: Bob reads a file in /tmp/banana with application bananareader.jar at 7:50 AM. I think FS events can only provide me with with /tmp/banana file was read at 7:50. – oleksii Nov 12 '15 at 11:00