You should post your question in English, otherwise others won't know what are you saying.

After several days research, finally I found a way to hide contents of the folder. Just use the Endpoint system extension, and deny all ES_EVENT_TYPE_AUTH_READDIR when the msg->event.readdir.target->path.data is my folder path. Although this makes it impossible for me to see these files under my filesystem, but I can still use file system API such as open(), createFile() to do some operations on the files.

After some research, I know that there is some relationship between the DesktopServicesHelper process and the copy operation, so I tried don't decrypt the file when system process DesktopServicesHelper trying to open the encrypted file. But it still does not work, the Mac system seems to directly hand over the cache data to the DesktopServicesHelper process, then DesktopServicesHelper creates a new file in the copy target path with decrypted data.

I am developing a file encryption and decryption software on Mac. The main function of this software is to set up a special folder, and all files in this folder will be automatically decrypted when opened. After the files are copied out of this folder, the files need to remain encrypted. I achieve such a folder by mounting a MacFUSE-based file system. But after I copied the file out of the special folder, I found that the copied content was plain text. I think this may be caused by the cache of the Mac system. In order to prevent the decrypted content from being copied, I wanted to hook the vnode write operation and replace the copied decrypted content with the encrypted content. I borrowed the method from this link MacOSX-FileSystem-Filter to hook the read and write operations of vnode. The core idea of ​​this hook method is, // assumtion is - the vnode layout is as follows // <some fields that are irrelevant for us> // int (**v_op)(void *); /* vnode operations vector */ // mount_t v_mount; /* ptr to vfs we are in */ // void * v_data; /* private data for fs */ So after I got the vnode object from Kauth, then do some pointer movement to replace the vnode operations vector int (**v_op)(void *); , thus I can hook the vnode operations.

Thanks for your reply, there is really rare document about it. File Provider is not enough to meet my requirement. To develop a kernel/user hybrid file system maybe a good way, at least I have the full control of my file system. It's really painful to do VFS development on macOS :(

Thanks for your detailed reply @eskimo . Now I'm finding a way to begin the adventurous and exciting journe of VFS development. Since there is rare document about VFS, do you think it's a good idea to borrow from the implementation of Linux 3rd file system FUSE? If I were to port Linux FUSE to VFS, what would be the biggest challenges and differences?

Thanks eskimo, hope the day Apple supports the function like file filter will come soon...

There's no need to display a UI to guide the user in making a choice. We'll decide whether to allow opening a file based on its path or some other meta datas, following the policy configuration. When ES detects that a file is about to be opened, it needs to communicate with my Mac app, and the app will use the configured policy to determine if the user can open or deny access to the file. So, we need to find a way for ES and the Mac app to communicate effectively. I attempted creating a local CFMessagePort on the app side, but ES couldn't obtain the remote CFMessagePort. The CFMessagePortCreateRemote always return nil.

I already have a XPC service on ES side. But according XPC, I can only send packet from APP to ES, what if I want to send packet from ES to APP? I've noticed there is a APP called Red Canary Mac monitor based on ES. It can show the UI of the ES events. So I assume that there must have someway to send message from ES to the Mac APP.

Wow, cool! I think I've discovered a new world! Thanks Quinn. So now I can do two way communication. But what if the XPC receive side exited? For example, the client APP exited, and the server send a message to client according the remoteObjectProxy, but the response will never come.

Thank you for your detailed reply, Quinn!

Thanks Quinn! Have a nice day!

Hi Quinn, I just checked my code. There is no setting of the kSecUseDataProtectionKeychain attribute or the kSecAttrSynchronizable attribute to true. So I think I'm using the file - based keychain. Should I update to the data protection keychain? By the way, I don't want my stored passwords to be synced via iCloud. So, do I just need to set kSecUseDataProtectionKeychain to true and kSecAttrSynchronizable to false?