On Aug 6, 2007, at 2:39 PM, Terry Lambert wrote:
On Aug 4, 2007, at 6:57 AM, Vishal Shetye wrote:
Actually I intend to hook open system call and scope suitable for
me is
VNODE. Although KAUTH_VNODE_READ_DATA suffice the purpose, how
would I
differentiate between open and read. And what about close()? What
notification should I receive?
In order:
KAUTH_FILEOP_OPEN
KAUTH_VNODE_READ_DATA
KAUTH_FILEOP_CLOSE
...in other words, you will need to listen in more than one scope.
Hang a sec here Terry. You won't see those in that order.
VNODE_READ_DATA will show up in the VNODE scope first, as
authorisation is sought for the operation. This may show up any
number of times; it may or may not be associated with an open; there
is no way to know which open, if any, is associated with a given
authorisation. There is no guarantee that an open will even require
authorisation (there are various reasons why this is the case).
Once the file has actually been opened successfully, but before any
I/O is performed on its contents, you will see FILEOP_OPEN in the
FILEOP scope. You may see this multiple times for a given file. It
is possible in some cases (e.g. fork, descriptor passing) for
processes to have a file open without an associated FILEOP_OPEN event.
When the file is closed for the last time, you will see FILEOP_CLOSE
in the FILEOP scope.
There is no notification for closes prior to the last. There is no
notification for read/write operations against a file (and for
practical reasons in the general case, cannot be).
