• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: virus scan application
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: virus scan application

  • Subject: Re: virus scan application
  • From: Terry Lambert <email@hidden>
  • Date: Mon, 6 Aug 2007 20:07:44 -0700
On Aug 6, 2007, at 7:40 PM, Michael Smith wrote: 
On Aug 6, 2007, at 2:39 PM, Terry Lambert wrote:

On Aug 4, 2007, at 6:57 AM, Vishal Shetye wrote:
Actually I intend to hook open system call and scope suitable for me is
VNODE. Although KAUTH_VNODE_READ_DATA suffice the purpose, how would I
differentiate between open and read. And what about close()? What
notification should I receive? 

In order:

	KAUTH_FILEOP_OPEN
	KAUTH_VNODE_READ_DATA
	KAUTH_FILEOP_CLOSE

...in other words, you will need to listen in more than one scope. 

Hang a sec here Terry.  You won't see those in that order.

VNODE_READ_DATA will show up in the VNODE scope first, as authorisation is sought for the operation. This may show up any number of times; it may or may not be associated with an open; there is no way to know which open, if any, is associated with a given authorisation. There is no guarantee that an open will even require authorisation (there are various reasons why this is the case).

Once the file has actually been opened successfully, but before any I/O is performed on its contents, you will see FILEOP_OPEN in the FILEOP scope. You may see this multiple times for a given file. It is possible in some cases (e.g. fork, descriptor passing) for processes to have a file open without an associated FILEOP_OPEN event.

When the file is closed for the last time, you will see FILEOP_CLOSE in the FILEOP scope.

There is no notification for closes prior to the last. There is no notification for read/write operations against a file (and for practical reasons in the general case, cannot be).

I meant "in order you asked", not "in the order you'll see these"; sorry if that wasn't clear.

Vishal: the documentation is very clear on the fact that you will not get notification on individual reads or writes, only that you will get notification of a request for read access, notification of the open, notification of the close, and, if it was written while it was open, notification of that fact at the time it is closed.

You really need to read the documentation.

-- Terry
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden






References: 


 >virus scan application (From: "Vishal Shetye" <email@hidden>)


 >Re: virus scan application (From: Terry Lambert <email@hidden>)


 >RE: virus scan application (From: "Vishal Shetye" <email@hidden>)


 >Re: virus scan application (From: Terry Lambert <email@hidden>)






    

  • Prev by Date:
Re: virus scan application

    • 

  • Next by Date:
Compatibility of IOKit drivers

    • 

  • Previous by thread:
Re: virus scan application

    • 

  • Next by thread:
Re: virus scan application

    • 

  • Index(es):

      

    • Date
      • 

    • Thread
      • 

    

    •