site_archiver@lists.apple.com Delivered-To: darwin-kernel@lists.apple.com On Aug 6, 2007, at 2:39 PM, Terry Lambert wrote: In order: KAUTH_FILEOP_OPEN KAUTH_VNODE_READ_DATA KAUTH_FILEOP_CLOSE Hang a sec here Terry. You won't see those in that order. You really need to read the documentation. -- Terry _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-kernel mailing list (Darwin-kernel@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-kernel/site_archiver%40lists.a... On Aug 6, 2007, at 7:40 PM, Michael Smith wrote: On Aug 4, 2007, at 6:57 AM, Vishal Shetye wrote: Actually I intend to hook open system call and scope suitable for me is VNODE. Although KAUTH_VNODE_READ_DATA suffice the purpose, how would I differentiate between open and read. And what about close()? What notification should I receive? ...in other words, you will need to listen in more than one scope. VNODE_READ_DATA will show up in the VNODE scope first, as authorisation is sought for the operation. This may show up any number of times; it may or may not be associated with an open; there is no way to know which open, if any, is associated with a given authorisation. There is no guarantee that an open will even require authorisation (there are various reasons why this is the case). Once the file has actually been opened successfully, but before any I/O is performed on its contents, you will see FILEOP_OPEN in the FILEOP scope. You may see this multiple times for a given file. It is possible in some cases (e.g. fork, descriptor passing) for processes to have a file open without an associated FILEOP_OPEN event. When the file is closed for the last time, you will see FILEOP_CLOSE in the FILEOP scope. There is no notification for closes prior to the last. There is no notification for read/write operations against a file (and for practical reasons in the general case, cannot be). I meant "in order you asked", not "in the order you'll see these"; sorry if that wasn't clear. Vishal: the documentation is very clear on the fact that you will not get notification on individual reads or writes, only that you will get notification of a request for read access, notification of the open, notification of the close, and, if it was written while it was open, notification of that fact at the time it is closed. This email sent to site_archiver@lists.apple.com