Following the topic of intercepting file access events: could you suggest other technologies that are better suited to achieve this goal?
So, I think the big question here is "what are you actually trying to do“? The core problem here is that:
-
Read I/O is REALLY frequent, so the system doesn't want to do anything that would make it slower/more complicated.
-
Memory mapping makes the idea of tracking reads somewhat... questionable. As the most extreme example of this, take the file that's the backing "libsystem.dylib". EVERY (yes, EVERY) process in the system has mapped it into memory and is accessing it very frequently. Tying any I/O activity on that file to any specific process isn't really possible or meaningful. Even if you could track actual I/O activity (meaning, read from disks) and tie it to a particular process, all that would tell you is "which process happened to ask for a page I didn't have". It wouldn't tell you anything about the other X processes that accessed the data directly from VM without ever touching the disk.
As far as reads are concerned, most ES clients side-step the issue by just assuming that opening for read access means that the file has in fact been fully "read".
P.S. Thank you for the warning and for the links to other forum threads on this topic; very useful. As someone who came from the kernel driver world, I can imagine the possible performance impact of a subsystem like Endpoint Security, and the responsibility that comes with it.
The critical point there is what the ES system actually is: the user space side of a kauth client. To a large extent, this is kernel development in much the same way writing a kauth client was. Case in point, it is not particularly hard for an ES client to panic the kernel. Delay the wrong events long enough and the kernel will assume user space is hung and panic to reset the machine.
Creating that kind of delay is harder in a monitor-only client; however, once multiple ES clients are involved, all sorts of interesting interactions become possible.
My app is monitoring-only, so hopefully it will be less prone to such errors. Anyway, I will use your advice and try to be more careful.
Being monitor-only certainly helps simplify things, but it definitely doesn't solve the issue here. The big problem here is deadlocking issues, particularly with other ES clients involved.
__
Kevin Elliott
DTS Engineer, CoreOS/Hardware