Thank you for the help!

Thank you for response! Looks like the only way of getting fs type is to analyse string values. (kDADiskDescriptionVolumeKindKey is string too) What are you actually trying to do? Monitoring new mounts but first of all app must enumerate mounted volumes. I am enumerate all mounts by getmntinfo_r_np() and it returns devfs which must be skipped.

Thank you a lot for your help!

thank you for support!

Thank you a lot for sharing knowledge. These are very valuable tips which will save a lot of my time. Thank you again!

In my case, stat struct is provided by Endpoint Security message. Looks like, the best solution is to use DiskArbitration framework. DiskArbitration can be used to find relationship between mount point (DAVolumePath) and physical device (DADiskGetBSDName). If st_dev and st_rdev are identical for any objects located on the same filesystem, the mount point directory has the same st_dev and st_rdev to. So, bsdName can be found for any objects. And finally a device can be found in I/O Registry by bsdName. Thank you a lot for detailed answer!!!

Hello, I am sorry for delay with answer? (Christmas and few weeks holidays). The volume is mounted with read only permission by default driver. Can you share it's entry from the volume list when you run "mount" in Terminal? That might provide more detail about what's actually going on. # df /dev/disk4s1 Filesystem 512-blocks Used Available Capacity iused ifree %iused Mounted on /dev/disk4s1 30715832 93776 30622056 1% 1 0 100% /Volumes/CCCOMA_X64FRE_RU-RU_DV9 # mount | grep disk4s1 /dev/disk4s1 on /Volumes/CCCOMA_X64FRE_RU-RU_DV9 (ntfs, local, nodev, nosuid, read-only, noowners, noatime, fskit) That is, the values of st_dev and st_rdev will be identical for any objects located on the same filesystem. Thank you a lot for this confirmation! I can implement my task based on this info. Thank you a lot for you help!

thank you a lot!

I am looking for audit_token_to_auid() description. What is the audit user ID? Is this value which is assigned to a user upon login and is inherited by every process he starts in the session? Thank you for your time and help!

Thank you for replay! I am afraid PID is not what I need. I need to find logged user which associated with process. I found the following description of audit user (non-official docs): Audit User ID is assigned to a user upon login and is inherited by every process even when the user's identity changes (for example, by switching user accounts with su - john). Is it true for macOS? Thank you for your help!

Thank you for support!

look like this issue has been fixed in 14.6.1

The application is using KEXT (Socket Filters) to intercept the traffic. I am looking for the way to implement new solution which is based on Network Extension. However, I have not found any obviously way how to intercept the outgoing traffic and have a possibility to modify it. Is it possible? If yes, what is the best practices? What is the simplest way to implement it? Thank you in advance.

thank you for the help!

Thank you for the help! If I want to start NETransparentProxyProvider, I have to set VPN configurations which is described by NEVPNProtocol. [NETransparentProxyManager sharedManager].protocolConfiguration So, looks like, I have to have running VPN server locally if I want to intercept desired outgoing network traffic. Can it be done by Network Extension Framework? Or I miss something.