I mounted a 3rd file system on macOS, I want to monitor the copy event by Finder on this 3rd file system, so I use an Endpoint Security client.
I know that ES_EVENT_TYPE_NOTIFY_CLONE will only be triggered by Apple File System clone operation. ES_EVENT_TYPE_NOTIFY_COPYFILE is triggered by the SYS_copyfile system call.
If I want to monitor the copy/paste operation by Finder(The copy can happens in the 3rd file system or between 3rd and Apple File System), which ES event should I register?
This is a classic example of this issue I discuss in Inferring High-Level Semantics from Low-Level Operations.
Share and Enjoy
—
Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"