I'm trying to monitor file copying to external USB drives in a kext. This is how I implemented:
- Call kauth_listen_scope() to register a listener for KAUTH_SCOPE_VNODE.
- When I receive a KAUTH_VNODE_READ_DATA event on local drive, I will put the file information in a queue for record.
- When I receive a KAUTH_VNODE_WRITE_DATA event on external drives, I will search the queue in reverse order. If I found a matching, I will send this file information to a user space daemon for checking, then return KAUTH_RESULT_DENY if the file shouldn't be copied out.
Everything works fine based on individual files according to my test. But when I copy a directory with some files in it to USB drive, it doesn't work. Apple seems to ignore the KAUTH_RESULT_DENY code I return, although I'm pretty sure I catch this copying successfully based on logging.
By using the MAC policy API, I encountered the same issue. In a mpo_vnode_check_open callback function, I check the read/write flag. For individual files, it works great. But when I copy a folder of files, this function is never called with write flag. Does Apple deliberately skip the callback function when it comes to copying a folder?
Can anybody give me some suggestions? Thanks!
