An idea I had a while ago was to implement a real-time backup system, which saves copies of files as they’re modified to a 2nd location. In the simplest form this would be a kind of manual mirrored RAID setup, which could work at the directory or volume level rather than disk level.
The problem I had was figuring out how to get notifications of every file notification. It can be done – Spotlight obviously gets such notifications. But it can’t be done using kqueues (as far as I can tell, anyway), and I’m not aware of any other public API for doing so. I’m not really that interested in the idea to reverse engineer half the system trying to discover the private mechanism… so the idea languished.
Until two things struck me – Apple just posted this article on the kern_control.h & kern_event.h headers in /usr/include/sys/…. it seems to me – at a cursory glance – these might provide the mechanism for receiving general I/O events, which could be broken apart to discover their nature, scope and relevant details. Of course, these do seem somewhat orientated towards kext’s or similar kernel-mode code, but there is ioctl hooks that look interesting… definitely something to research.
But the big epiphany was the just realising that I can use the public Spotlight API in various hacky ways to do what I want… for example, list all files modified in the last 60 seconds or so, which will update constantly with all newly modified files… provided Spotlight queues all prospective results, and doesn’t drop any due to time-outs or similar things. Definitely worth investigation.