macOS - Listeners on folders that throw mount events (#3506)

osquery/events/darwin/fsevents.cpp

@@ -254,6 +254,15 @@ void FSEventsEventPublisher::Callback(
       // Should remove the watch on this path.
     }
 
+    if (ec->fsevent_flags & kFSEventStreamEventFlagMount) {
+      auto mc = std::make_shared<FSEventsSubscriptionContext>();
+      mc->path = ec->path + "/*";
+      auto subscription = Subscription::create("file_events", mc);
+      auto status = EventFactory::addSubscription("fsevents", subscription);
+      auto pub = EventFactory::getEventPublisher("fsevents");
+      pub->configure();
+    }
+
     // Record the string-version of the first matched mask bit.
     bool has_action = false;
     for (const auto& action : kMaskActions) {

osquery/tables/events/darwin/file_events.cpp

@@ -8,8 +8,9 @@
  *
  */
 
-#include <vector>
+#include <future>
 #include <string>
+#include <vector>
 
 #include <osquery/core.h>
 #include <osquery/config.h>
@@ -81,6 +82,20 @@ Status FileEventSubscriber::Callback(const FSEventsEventContextRef& ec,
     return Status(0);
   }
 
+  // Need to call configure on the publisher, not the subscriber
+  if (ec->fsevent_flags & kFSEventStreamEventFlagMount) {
+    // Should we add listening to the mount point
+    auto subscriber = ([this, &ec]() {
+      auto msc = createSubscriptionContext();
+      msc->path = ec->path + "/*";
+      msc->category = "tmp";
+      return subscribe(&FileEventSubscriber::Callback, msc);
+    });
+    std::packaged_task<void()> task(std::move(subscriber));
+    auto result = task.get_future();
+    std::thread(std::move(task)).detach();
+  }
+
   Row r;
   r["action"] = ec->action;
   r["target_path"] = ec->path;