How to identify file being closed is modified or created in action KAUTH_FILEOP_CLOSE from Mac KEXT
How to identify file being closed is modified or created in action KAUTH_FILEOP_CLOSE from Mac KEXT
- Subject: How to identify file being closed is modified or created in action KAUTH_FILEOP_CLOSE from Mac KEXT
- From: Rupesh Khetawat <email@hidden>
- Date: Sat, 09 Jun 2012 00:01:46 -0700
- Acceptlanguage: en-US
- Thread-topic: How to identify file being closed is modified or created in action KAUTH_FILEOP_CLOSE from Mac KEXT
Observed that FWRITE or KAUTH_FILEOP_CLOSE_MODIFIED is not consistently set in action KAUTH_FILEOP_CLOSE during file modification or file copy. My use case is that I am trying to figure out whether the file being closed is modified file or newly created file. I want to ignore files that are not modified. As per documentation, I am checking for KAUTH_FILEOP_CLOSE_MODIFIED flag when the file action is KAUTH_FILEOP_CLOSE. Most of the time, I have observed KAUTH_FILEOP_CLOSE_MODIFIED is not set when file is copied from one location to other or file is modified. I also observed that FWRITE flag is set, but not consistently for modified or copied files. I am just wondering why the behavior is so inconsistent. Another way I was thinking was to rely on vnode actions KAUTH_VNODE_WRITE_DATA, But I have observed that there KAUTH_VNODE_WRITE_DATA multiple calls even when file is not modified. Can you suggest a way to determine if file being closed is modified? Thanks in advance. Regards, Rupesh |
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-kernel mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden