Block ES_EVENT_TYPE_AUTH_CLONE event response, but NSFileManager copyItemAtPath: can still copy new files

I implemented a method to monitor the testfile copy activity and reject it using ES_EVENT_TYPE_AUTH_CLONE. The copy code used is as follows:

NSFileManager *fileManager = [NSFileManager defaultManager];
NSError *error = nil;
NSString *sourcePath = self.CopyFilePath.stringValue;
NSString *destinationPath = [sourcePath stringByAppendingFormat:@"(Code copy file)"];
BOOL success = [fileManager copyItemAtPath:sourcePath toPath:destinationPath error:&error];
if (success) {
    NSLog(@"File copy successful");
} else {
     NSLog(@"File copy failure:%@", error.localizedDescription);
}

This code fires the ES_EVENT_TYPE_AUTH_CLONE event, and I treat the auth event as ES_AUTH_RESULT_DENY, but still create a new file testfile(Code copy file) How to prevent through code

[fileManager copyItemAtPath: sourcePath toPath: destinationPath error: & error];

Implementation of the file copy

Up vote post of c4m3l Down vote post of c4m3l
2k views
Posted by
c4m3l
Reply
Add a Comment

Replies

If you run fs_usage against the process calling FileManager, I think you’ll find that the clonefile system call does actually fail. I suspect that the copy engine is handling this error by falling back to the old school copy algorithm of open, read and write in a loop, and then close.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

I also think that it may not be good to intercept the operation of the code copy file

Posted by
c4m3l
Up vote reply of c4m3l Down vote reply of c4m3l
Add a Comment

At the same time, I found a new problem. I wanted to block writing to a file. If writing to the file through program code does not seem to trigger the ES_EVENT_TYPE_AUTH_OPEN event, causing the program code to still write to the file.

NSFileManager *fileManager = [NSFileManager defaultManager];
if([fileManager fileExistsAtPath:self.CopyFilePath.stringValue]) {
    
    // Write to file
    NSString *content = @"test";
    [content writeToFile:self.CopyFilePath.stringValue atomically:YES encoding:NSUTF8StringEncoding error:nil];
    
}

I would like to know what events can be monitored to intercept program code writing to a file

Posted by
c4m3l
Up vote reply of c4m3l Down vote reply of c4m3l
Add a Comment

Again, I recommend that you use fs_usage to see exactly what file system calls are being generated in this case. That should then offer some hints as to what events to monitor in your ES client.

For example, in this case the use of atomically means that the content is written to a temporary file and then renamed into place. fs_usage will show that, and you can then adjust your ES client accordingly.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment

Thank you very much for your reply. I understand the problem.

Posted by
c4m3l
Up vote reply of c4m3l Down vote reply of c4m3l
Add a Comment

Since I am a beginner in osx development, I want to learn the usage of fs_usage. Do you have any recommendation materials or can you provide some examples of fs_usage

Posted by
c4m3l
Up vote reply of c4m3l Down vote reply of c4m3l
Add a Comment

fs_usage is a command-line tool built in to macOS. Such tools are documented in man pages. See Reading UNIX Manual Pages.

Share and Enjoy

Quinn “The Eskimo!” @ Developer Technical Support @ Apple
let myEmail = "eskimo" + "1" + "@" + "apple.com"

Posted by
eskimo
Up vote reply of eskimo Down vote reply of eskimo
Add a Comment