Add transitive whitelisting to Santa

Santa.xcodeproj/project.pbxproj

@@ -159,6 +159,8 @@
 		59D56CF2D9C5BD9B7E3CC56D /* libPods-santad-santabs.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 14B98F4051188ECB7D024331 /* libPods-santad-santabs.a */; };
 		81133DB01F3A76F700917FF9 /* SNTCommand.m in Sources */ = {isa = PBXBuildFile; fileRef = 81133DAF1F3A75CE00917FF9 /* SNTCommand.m */; };
 		81133DB11F3A77C600917FF9 /* SNTCommand.m in Sources */ = {isa = PBXBuildFile; fileRef = 81133DAF1F3A75CE00917FF9 /* SNTCommand.m */; };
+		81A00E7F1FD74F8E00A84676 /* SNTCompilerController.m in Sources */ = {isa = PBXBuildFile; fileRef = 81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */; };
+		81A00E801FD74F9100A84676 /* SNTCompilerController.m in Sources */ = {isa = PBXBuildFile; fileRef = 81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */; };
 		B352A545B76783D568A6D0C5 /* libPods-Santa.a in Frameworks */ = {isa = PBXBuildFile; fileRef = 90E9D568200AB9B642E06272 /* libPods-Santa.a */; };
 		C714F8B11D8044D400700EDF /* SNTCommandFileInfo.m in Sources */ = {isa = PBXBuildFile; fileRef = 0DCD5FBE1909D64A006B445C /* SNTCommandFileInfo.m */; };
 		C714F8B21D8044FE00700EDF /* SNTCommandController.m in Sources */ = {isa = PBXBuildFile; fileRef = 0D35BDAB18FD7CFD00921A21 /* SNTCommandController.m */; };
@@ -431,6 +433,8 @@
 		7D949AA996AEAC326A4F6596 /* libPods-LogicTests.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-LogicTests.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		81133DAE1F3A75CE00917FF9 /* SNTCommand.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCommand.h; sourceTree = "<group>"; };
 		81133DAF1F3A75CE00917FF9 /* SNTCommand.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCommand.m; sourceTree = "<group>"; };
+		81A00E7D1FD74EFF00A84676 /* SNTCompilerController.h */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.h; path = SNTCompilerController.h; sourceTree = "<group>"; };
+		81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */ = {isa = PBXFileReference; fileEncoding = 4; lastKnownFileType = sourcecode.c.objc; path = SNTCompilerController.m; sourceTree = "<group>"; };
 		8EF10E4B8C86CED022C72F1B /* Pods-santactl.debug.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-santactl.debug.xcconfig"; path = "Pods/Target Support Files/Pods-santactl/Pods-santactl.debug.xcconfig"; sourceTree = "<group>"; };
 		90E9D568200AB9B642E06272 /* libPods-Santa.a */ = {isa = PBXFileReference; explicitFileType = archive.ar; includeInIndex = 0; path = "libPods-Santa.a"; sourceTree = BUILT_PRODUCTS_DIR; };
 		A6A91785C40257CC156B4F05 /* Pods-Santa.release.xcconfig */ = {isa = PBXFileReference; includeInIndex = 1; lastKnownFileType = text.xcconfig; name = "Pods-Santa.release.xcconfig"; path = "Pods/Target Support Files/Pods-Santa/Pods-Santa.release.xcconfig"; sourceTree = "<group>"; };
@@ -767,6 +771,8 @@
 				0DB8ACC0185662DC00FEF9C7 /* SNTApplication.m */,
 				0DE71A731B95F7F900518526 /* SNTCachedDecision.h */,
 				0DE71A741B95F7F900518526 /* SNTCachedDecision.m */,
+				81A00E7D1FD74EFF00A84676 /* SNTCompilerController.h */,
+				81A00E7E1FD74EFF00A84676 /* SNTCompilerController.m */,
 				0D8E18CB19107B56000F89B8 /* SNTDaemonControlController.h */,
 				0D8E18CC19107B56000F89B8 /* SNTDaemonControlController.m */,
 				0D63DD5A1906FCB400D346C4 /* SNTDatabaseController.h */,
@@ -1051,11 +1057,31 @@
 			attributes = {
 				LastUpgradeCheck = 0730;
 				TargetAttributes = {
+					0D0016A1192BCD3C005E7FCD = {
+						DevelopmentTeam = 9L79GAXCBC;
+					};
 					0D260DAB18B68E12002A0B55 = {
+						DevelopmentTeam = 9L79GAXCBC;
 						TestTargetID = 0D385DB5180DE4A900418BC6;
 					};
+					0D35BD9D18FD71CE00921A21 = {
+						DevelopmentTeam = 9L79GAXCBC;
+					};
+					0D385DB5180DE4A900418BC6 = {
+						DevelopmentTeam = 9L79GAXCBC;
+					};
+					0D91BCB3174E8A7E00131A7D = {
+						DevelopmentTeam = 9L79GAXCBC;
+					};
+					0D91BCDC174E8AE600131A7D = {
+						DevelopmentTeam = 9L79GAXCBC;
+					};
+					0D9A7F3C1759330400035EB5 = {
+						DevelopmentTeam = 9L79GAXCBC;
+					};
 					C78227531E1C3C58006EB2D6 = {
 						CreatedOnToolsVersion = 7.3.1;
+						DevelopmentTeam = 9L79GAXCBC;
 					};
 				};
 			};
@@ -1221,13 +1247,16 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
+				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputPaths = (
+				"$(DERIVED_FILE_DIR)/Pods-santad-santabs-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		2146C1274A8C11B3755A8A67 /* [CP] Check Pods Manifest.lock */ = {
@@ -1236,13 +1265,16 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
+				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputPaths = (
+				"$(DERIVED_FILE_DIR)/Pods-santad-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		23869BA352E2C86DEFE62819 /* [CP] Copy Pods Resources */ = {
@@ -1296,13 +1328,16 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
+				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputPaths = (
+				"$(DERIVED_FILE_DIR)/Pods-LogicTests-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		B193461D3612BCB47C16E407 /* [CP] Check Pods Manifest.lock */ = {
@@ -1311,13 +1346,16 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
+				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputPaths = (
+				"$(DERIVED_FILE_DIR)/Pods-Santa-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		BA20035148DDEF5808B2C7EF /* [CP] Embed Pods Frameworks */ = {
@@ -1358,13 +1396,16 @@
 			files = (
 			);
 			inputPaths = (
+				"${PODS_PODFILE_DIR_PATH}/Podfile.lock",
+				"${PODS_ROOT}/Manifest.lock",
 			);
 			name = "[CP] Check Pods Manifest.lock";
 			outputPaths = (
+				"$(DERIVED_FILE_DIR)/Pods-santactl-checkManifestLockResult.txt",
 			);
 			runOnlyForDeploymentPostprocessing = 0;
 			shellPath = /bin/sh;
-			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n";
+			shellScript = "diff \"${PODS_PODFILE_DIR_PATH}/Podfile.lock\" \"${PODS_ROOT}/Manifest.lock\" > /dev/null\nif [ $? != 0 ] ; then\n    # print error to STDERR\n    echo \"error: The sandbox is not in sync with the Podfile.lock. Run 'pod install' or update your CocoaPods installation.\" >&2\n    exit 1\nfi\n# This output is used by Xcode 'outputs' to avoid re-running this script phase.\necho \"SUCCESS\" > \"${SCRIPT_OUTPUT_FILE_0}\"\n";
 			showEnvVarsInLog = 0;
 		};
 		D49A3AB950AFD99741E9AF89 /* [CP] Embed Pods Frameworks */ = {
@@ -1465,6 +1506,7 @@
 				0D41DAD41A7C28C800A890FE /* SNTEventTableTest.m in Sources */,
 				0D3AFBEE18FB4C6C0087BCEE /* SNTApplication.m in Sources */,
 				0DD0D48F194F78F8005F27EB /* SNTFileInfoTest.m in Sources */,
+				81A00E801FD74F9100A84676 /* SNTCompilerController.m in Sources */,
 				0DC5D86E191AED220078A5C0 /* SNTRuleTable.m in Sources */,
 				0DD0D492194F9BEF005F27EB /* SNTLogging.m in Sources */,
 				0DE71A761B95F7F900518526 /* SNTCachedDecision.m in Sources */,
@@ -1574,6 +1616,7 @@
 				0D377C2A17A071B7008453DB /* SNTEventTable.m in Sources */,
 				0DE50F681912716A007B2B0C /* SNTRule.m in Sources */,
 				0DB77FD81CCE824A004DF060 /* SNTBlockMessage.m in Sources */,
+				81A00E7F1FD74F8E00A84676 /* SNTCompilerController.m in Sources */,
 				0D37C10F18F6029A0069BC61 /* SNTDatabaseTable.m in Sources */,
 				0D42D2B819D2042900955F08 /* SNTConfigurator.m in Sources */,
 				0DCD605519115D17006B445C /* SNTXPCControlInterface.m in Sources */,

Source/common/SNTCommonEnums.h

@@ -33,6 +33,9 @@ typedef NS_ENUM(NSInteger, SNTRuleState) {
   SNTRuleStateBlacklist = 2,
   SNTRuleStateSilentBlacklist = 3,
   SNTRuleStateRemove = 4,
+
+  SNTRuleStateWhitelistCompiler = 5,
+  SNTRuleStateWhitelistTransitive = 6,
 };
 
 typedef NS_ENUM(NSInteger, SNTClientMode) {
@@ -58,6 +61,8 @@ typedef NS_ENUM(NSInteger, SNTEventState) {
   SNTEventStateAllowBinary = 1 << 25,
   SNTEventStateAllowCertificate = 1 << 26,
   SNTEventStateAllowScope = 1 << 27,
+  SNTEventStateAllowCompiler = 1 << 28,
+  SNTEventStateAllowTransitive = 1 << 29,
 
   // Block and Allow masks
   SNTEventStateBlock = 0xFF << 16,

Source/common/SNTKernelCommon.h

@@ -48,7 +48,8 @@ enum SantaDriverMethods {
 
 typedef enum {
   QUEUETYPE_DECISION,
-  QUEUETYPE_LOG
+  QUEUETYPE_LOG,
+  QUEUETYPE_COMPILER,
 } santa_queuetype_t;
 
 // Enum defining actions that can be passed down the IODataQueue and in
@@ -71,6 +72,7 @@ typedef enum {
   ACTION_NOTIFY_LINK = 33,
   ACTION_NOTIFY_EXCHANGE = 34,
   ACTION_NOTIFY_DELETE = 35,
+  ACTION_NOTIFY_CLOSE = 36,
 
   // ERROR
   ACTION_ERROR = 99,

Source/santa-driver/SantaDecisionManager.cc

@@ -14,6 +14,13 @@
 
 #include "SantaDecisionManager.h"
 
+// This is a made-up KAUTH_FILEOP constant which represents a KAUTH_VNODE_WRITE_DATA event
+// that gets passed to SantaDecisionManager's FileOpCallback method.  It is defined as 8
+// because that was the first unused integer from sys/kauth.h.  The reason that we don't
+// simply use the KAUTH_VNODE_WRITE_DATA constant as is is because it overlaps with the other
+// KAUTH_FILEOP  constants.
+#define KAUTH_FILEOP_WRITE 8
+
 #define super OSObject
 OSDefineMetaClassAndStructors(SantaDecisionManager, OSObject);
 
@@ -28,6 +35,7 @@ bool SantaDecisionManager::init() {
 
   decision_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
   log_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
+  compiler_dataqueue_lock_ = lck_mtx_alloc_init(sdm_lock_grp_, sdm_lock_attr_);
 
   root_decision_cache_ = new SantaCache<uint64_t>(5000, 2);
   non_root_decision_cache_ = new SantaCache<uint64_t>(500, 2);
@@ -41,6 +49,10 @@ bool SantaDecisionManager::init() {
       kMaxLogQueueEvents, sizeof(santa_message_t));
   if (!log_dataqueue_) return kIOReturnNoMemory;
 
+  compiler_dataqueue_ = IOSharedDataQueue::withEntries(
+      kMaxCompilerQueueEvents, sizeof(santa_message_t));
+  if (!compiler_dataqueue_) return kIOReturnNoMemory;
+
   client_pid_ = 0;
   root_fsid_ = 0;
 
@@ -65,6 +77,11 @@ void SantaDecisionManager::free() {
     log_dataqueue_lock_ = nullptr;
   }
 
+  if (compiler_dataqueue_lock_) {
+    lck_mtx_free(compiler_dataqueue_lock_, sdm_lock_grp_);
+    compiler_dataqueue_lock_ = nullptr;
+  }
+
   if (sdm_lock_attr_) {
     lck_attr_free(sdm_lock_attr_);
     sdm_lock_attr_ = nullptr;
@@ -82,6 +99,7 @@ void SantaDecisionManager::free() {
 
   OSSafeReleaseNULL(decision_dataqueue_);
   OSSafeReleaseNULL(log_dataqueue_);
+  OSSafeReleaseNULL(compiler_dataqueue_);
 
   super::free();
 }
@@ -110,6 +128,7 @@ void SantaDecisionManager::ConnectClient(pid_t pid) {
 
   failed_decision_queue_requests_ = 0;
   failed_log_queue_requests_ = 0;
+  failed_compiler_queue_requests_ = 0;
 }
 
 void SantaDecisionManager::DisconnectClient(bool itDied) {
@@ -137,6 +156,12 @@ void SantaDecisionManager::DisconnectClient(bool itDied) {
     log_dataqueue_ = IOSharedDataQueue::withEntries(
         kMaxLogQueueEvents, sizeof(santa_message_t));
     lck_mtx_unlock(log_dataqueue_lock_);
+
+    lck_mtx_lock(compiler_dataqueue_lock_);
+    compiler_dataqueue_->release();
+    compiler_dataqueue_ = IOSharedDataQueue::withEntries(
+        kMaxCompilerQueueEvents, sizeof(santa_message_t));
+    lck_mtx_unlock(compiler_dataqueue_lock_);
   }
 }
 
@@ -163,6 +188,12 @@ void SantaDecisionManager::SetLogPort(mach_port_t port) {
   lck_mtx_unlock(log_dataqueue_lock_);
 }
 
+void SantaDecisionManager::SetCompilerPort(mach_port_t port) {
+  lck_mtx_lock(compiler_dataqueue_lock_);
+  compiler_dataqueue_->setNotificationPort(port);
+  lck_mtx_unlock(compiler_dataqueue_lock_);
+}
+
 IOMemoryDescriptor *SantaDecisionManager::GetDecisionMemoryDescriptor() const {
   return decision_dataqueue_->getMemoryDescriptor();
 }
@@ -171,6 +202,10 @@ IOMemoryDescriptor *SantaDecisionManager::GetLogMemoryDescriptor() const {
   return log_dataqueue_->getMemoryDescriptor();
 }
 
+IOMemoryDescriptor *SantaDecisionManager::GetCompilerMemoryDescriptor() const {
+  return compiler_dataqueue_->getMemoryDescriptor();
+}
+
 #pragma mark Listener Control
 
 kern_return_t SantaDecisionManager::StartListener() {
@@ -417,6 +452,26 @@ bool SantaDecisionManager::PostToLogQueue(santa_message_t *message) {
   return kr;
 }
 
+bool SantaDecisionManager::PostToCompilerQueue(santa_message_t *message) {
+  lck_mtx_lock(compiler_dataqueue_lock_);
+  auto kr = compiler_dataqueue_->enqueue(message, sizeof(santa_message_t));
+  if (!kr) {
+    if (failed_compiler_queue_requests_++ == 0) {
+      LOGW("Dropping compiler queue messages");
+    }
+    // If enqueue failed, pop an item off the queue and try again.
+    uint32_t dataSize = 0;
+    compiler_dataqueue_->dequeue(0, &dataSize);
+    kr = compiler_dataqueue_->enqueue(message, sizeof(santa_message_t));
+  } else {
+    if (failed_compiler_queue_requests_ > 0) {
+      failed_compiler_queue_requests_--;
+    }
+  }
+  lck_mtx_unlock(compiler_dataqueue_lock_);
+  return kr;
+}
+
 #pragma mark Invocation Tracking & PID comparison
 
 void SantaDecisionManager::IncrementListenerInvocations() {
@@ -495,6 +550,7 @@ void SantaDecisionManager::FileOpCallback(
         message->ppid = (val & ~0xFFFFFFFF00000000);
       }
       PostToLogQueue(message);
+      PostToCompilerQueue(message);
       delete message;
       return;
     }
@@ -509,9 +565,13 @@ void SantaDecisionManager::FileOpCallback(
     proc_name(message->pid, message->pname, sizeof(message->pname));
 
     switch (action) {
-      case KAUTH_FILEOP_CLOSE:
+      case KAUTH_FILEOP_WRITE:
+        // This is actually a KAUTH_VNODE_WRITE_DATA event.
         message->action = ACTION_NOTIFY_WRITE;
         break;
+      case KAUTH_FILEOP_CLOSE:
+        message->action = ACTION_NOTIFY_CLOSE;
+        break;
       case KAUTH_FILEOP_RENAME:
         message->action = ACTION_NOTIFY_RENAME;
         break;
@@ -529,7 +589,16 @@ void SantaDecisionManager::FileOpCallback(
         return;
     }
 
-    PostToLogQueue(message);
+    // We don't log the ACTION_NOTIFY_CLOSE messages because they mostly duplicate the
+    // ACTION_NOTIFY_WRITE messages (though they aren't precisely the same)
+    if (message->action != ACTION_NOTIFY_CLOSE) {
+      PostToLogQueue(message);
+    }
+
+    if (message->action == ACTION_NOTIFY_CLOSE || message->action == ACTION_NOTIFY_RENAME) {
+      PostToCompilerQueue(message);
+    }
+
     delete message;
   }
 }
@@ -552,6 +621,10 @@ extern "C" int fileop_scope_callback(
   char *new_path = nullptr;
 
   switch (action) {
+    // We only care about KAUTH_FILEOP_CLOSE events where the closed file was modified.
+    case KAUTH_FILEOP_CLOSE:
+      if (!(arg2 & KAUTH_FILEOP_CLOSE_MODIFIED))
+        return KAUTH_RESULT_DEFER;
     case KAUTH_FILEOP_DELETE:
     case KAUTH_FILEOP_EXEC:
       vp = reinterpret_cast<vnode_t>(arg0);
@@ -604,7 +677,9 @@ extern "C" int vnode_scope_callback(
     char path[MAXPATHLEN];
     int pathlen = MAXPATHLEN;
     vn_getpath(vp, path, &pathlen);
-    sdm->FileOpCallback(KAUTH_FILEOP_CLOSE, vp, path, nullptr);
+    // KAUTH_VNODE_WRITE_DATA events are translated into a fake KAUTH_FILEOP_WRITE event
+    // so that we can handle them in the FileOpCallback function.
+    sdm->FileOpCallback(KAUTH_FILEOP_WRITE, vp, path, nullptr);
     sdm->DecrementListenerInvocations();
   }