There are various ways to monitor filesystem access on MacOS Ventura, like fs_events
or the new Endpoint Security System Extension framework.
Is there a way to intercept and potentially prevent a filesystem call of another process? Similarly to how Little Snitch intercepts network connection attempts and prompts a user to allow or deny that connection, but for files.
Example:
open("data.txt", "r")
, let's call it "MalwareX"I suppose it can be done via a kernel extension (kext) but it requires lifting system integrity protection and generally going to be deprecated in the future in favor of System Extensions.
My question is, can it be done via currently-supported MacOS system frameworks and tools?
The Endpoint Security framework you already mention fills this role. Each kind of event message has an action_type
of either "AUTH" or "NOTIFY." If it's "AUTH", the event must be authorised (or denied) by your endpoint security system extension, using es_respond_auth_result
or es_respond_flags_result
as appropriate.
("Notify" type events are merely informational, you can't block them.)