When I'm using Endpoint Security to monitor the file creation behavior of Keynote, I've noticed that when I choose to export a Keynote file as an HTML file, ES only triggers the ES_EVENT_TYPE_NOTIFY_CREATE notification for the index.html file, and the ES_EVENT_TYPE_AUTH_CREATE is not triggered. I've double - checked my code many times, and I'm pretty sure there's no error in it. Does ES only call the notification event without calling the authorization event under certain circumstances? Or is this a bug in ES?
Does ES only call the notification event without calling the authorization event under certain circumstances?
That is a surprisingly complicated question to answer. The underlying issue here is that because of how our code is structure, auth and notify hooks often end up having very different implementations. In this case, ES_EVENT_TYPE_AUTH_CREATE is handled through mac_vnode_check_create, which is called in multiple places in the vfs layer (for example, vfs_subr.c and vfs_syscalls.c). If you look at the specific calls, the reason is straightforward- multiple calls will eventually create vnodes and we need to confirm that creation will be allowed before any real work starts.
On the other side, "ES_EVENT_TYPE_NOTIFY_CREATE" is implemented through mac_vnode_notify_create, but that function is only called inside "vnode_label" in mac_vfs_subr.c. Again, it's easy to see the thinking here- the goal was to catch "all create events" and (I assume) vnode_label was chosen as it was as a convenient bottleneck that would catch "everything".
However, that does mean there is a split between the specifics of the there implementation. That is:
-
ES_EVENT_TYPE_AUTH_CREATE-> mac_vnode_check_create-> "Auth every call that runs through these designated bottlenecks"
-
ES_EVENT_TYPE_NOTIFY_CREATE-> mac_vnode_notify_create-> "Every call to vnode_label that's flagged with VNODE_LABEL_CREATE"
...and #2 is significantly broader than #1.
Returning to here:
Does ES only call the notification event without calling the authorization event under certain circumstances?
I didn't trace the full details but, yes, that's very likely. Looking at the specific case you're talking about here:
When I'm using Endpoint Security to monitor the file creation behavior of Keynote,
I suspect file cloning was involved. If you look at clonefile_internal, it calls mac_vnode_check_clone (which would have called ES_EVENT_TYPE_AUTH_CLONE) and then eventually calls "vnode_label(VNODE_LABEL_CREATE)" (which would have lead to ES_EVENT_TYPE_NOTIFY_CREATE).
It's possible I've overlooked something, but my read of things is that file cloning will bypass mac_vnode_check_create. I suspect this is the most common case you'll see, however, I wouldn't assume it's the only one.
Or is this a bug in ES?
Not really, though I can certainly see an argument for "yes". In general, ES tries to avoid having multiple auth calls for any given "action", using the specific (ES_EVENT_TYPE_AUTH_CLONE) over the general (ES_EVENT_TYPE_AUTH_CREATE) when overlap exists. That's also true of notify events, however, in this case I think the convenient bottleneck provided by vnode_label means you will get two (ES_EVENT_TYPE_NOTIFY_CREATE & ES_EVENT_TYPE_NOTIFY_CLONE). Of course, notify events are less of a performance concern so the second case isn't really an issue.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware
