127db57a9SDavid E. O'Brien.\" Copyright (c) 2012 227db57a9SDavid E. O'Brien.\" David E. O'Brien <obrien@FreeBSD.org>. All rights reserved. 327db57a9SDavid E. O'Brien.\" 427db57a9SDavid E. O'Brien.\" Redistribution and use in source and binary forms, with or without 527db57a9SDavid E. O'Brien.\" modification, are permitted provided that the following conditions 627db57a9SDavid E. O'Brien.\" are met: 727db57a9SDavid E. O'Brien.\" 1. Redistributions of source code must retain the above copyright 827db57a9SDavid E. O'Brien.\" notice, this list of conditions and the following disclaimer. 927db57a9SDavid E. O'Brien.\" 2. Redistributions in binary form must reproduce the above copyright 1027db57a9SDavid E. O'Brien.\" notice, this list of conditions and the following disclaimer in the 1127db57a9SDavid E. O'Brien.\" documentation and/or other materials provided with the distribution. 1227db57a9SDavid E. O'Brien.\" 3. All advertising materials mentioning features or use of this software 138124c91fSDavid E. O'Brien.\" must display the following acknowledgment: 1427db57a9SDavid E. O'Brien.\" This product includes software developed by David E. O'Brien and 1527db57a9SDavid E. O'Brien.\" contributors. 1627db57a9SDavid E. O'Brien.\" 4. Neither the name of the author nor the names of its contributors 1727db57a9SDavid E. O'Brien.\" may be used to endorse or promote products derived from this software 1827db57a9SDavid E. O'Brien.\" without specific prior written permission. 1927db57a9SDavid E. O'Brien.\" 2027db57a9SDavid E. O'Brien.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2127db57a9SDavid E. O'Brien.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2227db57a9SDavid E. O'Brien.\" IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2327db57a9SDavid E. O'Brien.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2427db57a9SDavid E. O'Brien.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2527db57a9SDavid E. O'Brien.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2627db57a9SDavid E. O'Brien.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2727db57a9SDavid E. O'Brien.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2827db57a9SDavid E. O'Brien.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2927db57a9SDavid E. O'Brien.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3027db57a9SDavid E. O'Brien.\" SUCH DAMAGE. 3127db57a9SDavid E. O'Brien.\" 3227db57a9SDavid E. O'Brien.\" $FreeBSD$ 3327db57a9SDavid E. O'Brien.\" 345a706efcSBryan Drewery.Dd March 22, 2016 3527db57a9SDavid E. O'Brien.Dt FILEMON 4 3627db57a9SDavid E. O'Brien.Os 3727db57a9SDavid E. O'Brien.Sh NAME 3827db57a9SDavid E. O'Brien.Nm filemon 3927db57a9SDavid E. O'Brien.Nd the filemon device 4027db57a9SDavid E. O'Brien.Sh SYNOPSIS 4127db57a9SDavid E. O'Brien.In dev/filemon/filemon.h 4227db57a9SDavid E. O'Brien.Sh DESCRIPTION 4327db57a9SDavid E. O'BrienThe 4427db57a9SDavid E. O'Brien.Nm 4527db57a9SDavid E. O'Briendevice allows a process to collect file operations data of its children. 4627db57a9SDavid E. O'BrienThe device 4727db57a9SDavid E. O'Brien.Pa /dev/filemon 4827db57a9SDavid E. O'Brienresponds to two 4927db57a9SDavid E. O'Brien.Xr ioctl 2 5027db57a9SDavid E. O'Briencalls. 5127db57a9SDavid E. O'Brien.Pp 5222bcf8a6SBryan Drewery.Nm 5322bcf8a6SBryan Dreweryis not intended to be a security auditing tool. 545a706efcSBryan DreweryMany system calls are not tracked and binaries of foreign ABI will not be fully 5522bcf8a6SBryan Dreweryaudited. 5622bcf8a6SBryan DreweryIt is intended for auditing of processes for the purpose of determining its 5722bcf8a6SBryan Drewerydependencies in an efficient and easily parsable format. 5822bcf8a6SBryan DreweryAn example of this is 5922bcf8a6SBryan Drewery.Xr make 1 6022bcf8a6SBryan Drewerywhich uses this module with 6122bcf8a6SBryan Drewery.Sy .MAKE.MODE=meta 6222bcf8a6SBryan Dreweryto handle incremental builds more smartly. 6322bcf8a6SBryan Drewery.Pp 6427db57a9SDavid E. O'BrienSystem calls are denoted using the following single letters: 65db852c28SDavid E. O'Brien.Pp 6627db57a9SDavid E. O'Brien.Bl -tag -width indent -compact 676c8b789fSBryan Drewery.It Ql A 686c8b789fSBryan Drewery.Xr openat 2 . 696c8b789fSBryan DreweryThe next log entry may be lacking an absolute path or be inaccurate. 70db852c28SDavid E. O'Brien.It Ql C 7127db57a9SDavid E. O'Brien.Xr chdir 2 72db852c28SDavid E. O'Brien.It Ql D 7327db57a9SDavid E. O'Brien.Xr unlink 2 74db852c28SDavid E. O'Brien.It Ql E 7527db57a9SDavid E. O'Brien.Xr exec 2 76db852c28SDavid E. O'Brien.It Ql F 7727db57a9SDavid E. O'Brien.Xr fork 2 , 7827db57a9SDavid E. O'Brien.Xr vfork 2 79db852c28SDavid E. O'Brien.It Ql L 8027db57a9SDavid E. O'Brien.Xr link 2 , 8127db57a9SDavid E. O'Brien.Xr linkat 2 , 8227db57a9SDavid E. O'Brien.Xr symlink 2 , 8327db57a9SDavid E. O'Brien.Xr symlinkat 2 84db852c28SDavid E. O'Brien.It Ql M 8527db57a9SDavid E. O'Brien.Xr rename 2 86db852c28SDavid E. O'Brien.It Ql R 8727db57a9SDavid E. O'Brien.Xr open 2 886c8b789fSBryan Dreweryor 896c8b789fSBryan Drewery.Xr openat 2 9027db57a9SDavid E. O'Brienfor read 91db852c28SDavid E. O'Brien.It Ql W 9227db57a9SDavid E. O'Brien.Xr open 2 936c8b789fSBryan Dreweryor 946c8b789fSBryan Drewery.Xr openat 2 9527db57a9SDavid E. O'Brienfor write 96db852c28SDavid E. O'Brien.It Ql X 9727db57a9SDavid E. O'Brien.Xr _exit 2 9827db57a9SDavid E. O'Brien.El 9927db57a9SDavid E. O'Brien.Pp 10027db57a9SDavid E. O'BrienNote that 101db852c28SDavid E. O'Brien.Ql R 10227db57a9SDavid E. O'Brienfollowing 103db852c28SDavid E. O'Brien.Ql W 10427db57a9SDavid E. O'Brienrecords can represent a single 10527db57a9SDavid E. O'Brien.Xr open 2 10627db57a9SDavid E. O'Brienfor R/W, 1078124c91fSDavid E. O'Brienor two separate 10827db57a9SDavid E. O'Brien.Xr open 2 10927db57a9SDavid E. O'Briencalls, one for 110db852c28SDavid E. O'Brien.Ql R 11127db57a9SDavid E. O'Brienand one for 112db852c28SDavid E. O'Brien.Ql W . 1138124c91fSDavid E. O'BrienNote that only successful system calls are captured. 11427db57a9SDavid E. O'Brien.Sh IOCTLS 115d5064cc2SJoel DahlUser mode programs communicate with the 116db852c28SDavid E. O'Brien.Nm 117db852c28SDavid E. O'Briendriver through a number of ioctls which are described below. 11827db57a9SDavid E. O'BrienEach takes a single argument. 119db852c28SDavid E. O'Brien.Bl -tag -width ".Dv FILEMON_SET_PID" 12027db57a9SDavid E. O'Brien.It Dv FILEMON_SET_FD 12127db57a9SDavid E. O'BrienWrite the internal tracing buffer to the supplied open file descriptor. 122d5064cc2SJoel Dahl.It Dv FILEMON_SET_PID 12327db57a9SDavid E. O'BrienChild process ID to trace. 124e0d84b9eSBryan DreweryThis should normally be done under the control of a parent in the child after 125e0d84b9eSBryan Drewery.Xr fork 2 126e0d84b9eSBryan Drewerybut before anything else. 127e0d84b9eSBryan DrewerySee the example below. 12827db57a9SDavid E. O'Brien.El 12927db57a9SDavid E. O'Brien.Sh RETURN VALUES 130db852c28SDavid E. O'Brien.\" .Rv -std ioctl 131db852c28SDavid E. O'BrienThe 132db852c28SDavid E. O'Brien.Fn ioctl 133db852c28SDavid E. O'Brienfunction returns the value 0 if successful; 134db852c28SDavid E. O'Brienotherwise the value \-1 is returned and the global variable 135db852c28SDavid E. O'Brien.Va errno 136db852c28SDavid E. O'Brienis set to indicate the error. 137044fd543SBryan Drewery.Sh ERRORS 138044fd543SBryan DreweryThe 139044fd543SBryan Drewery.Fn ioctl 140044fd543SBryan Drewerysystem call 141044fd543SBryan Drewerywith 142044fd543SBryan Drewery.Dv FILEMON_SET_FD 143044fd543SBryan Drewerywill fail if: 144044fd543SBryan Drewery.Bl -tag -width Er 145044fd543SBryan Drewery.It Bq Er EEXIST 146044fd543SBryan DreweryThe 147044fd543SBryan Drewery.Nm 148044fd543SBryan Dreweryhandle is already associated with a file descriptor. 149044fd543SBryan Drewery.El 150e0d84b9eSBryan Drewery.Pp 151e0d84b9eSBryan DreweryThe 152e0d84b9eSBryan Drewery.Fn ioctl 153e0d84b9eSBryan Drewerysystem call 154e0d84b9eSBryan Drewerywith 155e0d84b9eSBryan Drewery.Dv FILEMON_SET_PID 156e0d84b9eSBryan Drewerywill fail if: 157e0d84b9eSBryan Drewery.Bl -tag -width Er 158e0d84b9eSBryan Drewery.It Bq Er ESRCH 159e0d84b9eSBryan DreweryNo process having the specified process ID exists. 160e0d84b9eSBryan Drewery.It Bq Er EBUSY 161e0d84b9eSBryan DreweryThe process ID specified is already being traced and was not the current 162e0d84b9eSBryan Dreweryprocess. 163e0d84b9eSBryan Drewery.El 1644177d9f7SBryan Drewery.Pp 1654177d9f7SBryan DreweryThe 1664177d9f7SBryan Drewery.Fn close 1674177d9f7SBryan Drewerysystem call on the filemon file descriptor may fail with the errors from 1684177d9f7SBryan Drewery.Xr write 2 1694177d9f7SBryan Dreweryif any error is encountered while writing the log. 170*9b511ce9SBryan DreweryIt may also fail if: 171*9b511ce9SBryan Drewery.Bl -tag -width Er 172*9b511ce9SBryan Drewery.It Bq Er EFAULT 173*9b511ce9SBryan DreweryAn invalid address was used for a traced system call argument, resulting in 174*9b511ce9SBryan Dreweryno log entry for the system call. 175*9b511ce9SBryan Drewery.It Bq Er ENAMETOOLONG 176*9b511ce9SBryan DreweryAn argument for a traced system call was too long, resulting in 177*9b511ce9SBryan Dreweryno log entry for the system call. 178*9b511ce9SBryan Drewery.El 179d5064cc2SJoel Dahl.Sh FILES 180db852c28SDavid E. O'Brien.Bl -tag -width ".Pa /dev/filemon" 181d5064cc2SJoel Dahl.It Pa /dev/filemon 182d5064cc2SJoel Dahl.El 18327db57a9SDavid E. O'Brien.Sh EXAMPLES 184d5064cc2SJoel Dahl.Bd -literal 18527db57a9SDavid E. O'Brien#include <sys/types.h> 18627db57a9SDavid E. O'Brien#include <sys/stat.h> 18727db57a9SDavid E. O'Brien#include <sys/wait.h> 18827db57a9SDavid E. O'Brien#include <sys/ioctl.h> 18927db57a9SDavid E. O'Brien#include <dev/filemon/filemon.h> 19027db57a9SDavid E. O'Brien#include <fcntl.h> 19127db57a9SDavid E. O'Brien#include <err.h> 1920ec5ac10SSergey Kandaurov#include <unistd.h> 19327db57a9SDavid E. O'Brien 19427db57a9SDavid E. O'Brienstatic void 19527db57a9SDavid E. O'Brienopen_filemon(void) 19627db57a9SDavid E. O'Brien{ 19727db57a9SDavid E. O'Brien pid_t child; 19827db57a9SDavid E. O'Brien int fm_fd, fm_log; 19927db57a9SDavid E. O'Brien 2000ec5ac10SSergey Kandaurov if ((fm_fd = open("/dev/filemon", O_RDWR | O_CLOEXEC)) == -1) 201db852c28SDavid E. O'Brien err(1, "open(\e"/dev/filemon\e", O_RDWR)"); 20227db57a9SDavid E. O'Brien if ((fm_log = open("filemon.out", 2030ec5ac10SSergey Kandaurov O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, DEFFILEMODE)) == -1) 20427db57a9SDavid E. O'Brien err(1, "open(filemon.out)"); 20527db57a9SDavid E. O'Brien 20630a39288SDavid E. O'Brien if (ioctl(fm_fd, FILEMON_SET_FD, &fm_log) == -1) 20727db57a9SDavid E. O'Brien err(1, "Cannot set filemon log file descriptor"); 20827db57a9SDavid E. O'Brien 20927db57a9SDavid E. O'Brien if ((child = fork()) == 0) { 21030a39288SDavid E. O'Brien child = getpid(); 21130a39288SDavid E. O'Brien if (ioctl(fm_fd, FILEMON_SET_PID, &child) == -1) 21230a39288SDavid E. O'Brien err(1, "Cannot set filemon PID"); 21327db57a9SDavid E. O'Brien /* Do something here. */ 21427db57a9SDavid E. O'Brien } else { 21527db57a9SDavid E. O'Brien wait(&child); 21627db57a9SDavid E. O'Brien close(fm_fd); 21727db57a9SDavid E. O'Brien } 21827db57a9SDavid E. O'Brien} 21927db57a9SDavid E. O'Brien.Ed 22027db57a9SDavid E. O'Brien.Pp 22127db57a9SDavid E. O'BrienCreates a file named 22227db57a9SDavid E. O'Brien.Pa filemon.out 22327db57a9SDavid E. O'Brienand configures the 22427db57a9SDavid E. O'Brien.Nm 225db852c28SDavid E. O'Briendevice to write the 226db852c28SDavid E. O'Brien.Nm 227db852c28SDavid E. O'Brienbuffer contents to it. 22827db57a9SDavid E. O'Brien.Sh SEE ALSO 22927db57a9SDavid E. O'Brien.Xr dtrace 1 , 23027db57a9SDavid E. O'Brien.Xr ktrace 1 , 231d630b56dSDavid E. O'Brien.Xr script 1 , 2328124c91fSDavid E. O'Brien.Xr truss 1 , 2338124c91fSDavid E. O'Brien.Xr ioctl 2 23427db57a9SDavid E. O'Brien.Sh HISTORY 23527db57a9SDavid E. O'BrienA 23627db57a9SDavid E. O'Brien.Nm 23727db57a9SDavid E. O'Briendevice appeared in 23827db57a9SDavid E. O'Brien.Fx 9.1 . 23922bcf8a6SBryan Drewery.Sh BUGS 2404039c531SBryan DreweryUnloading the module may panic the system, thus requires using 2414039c531SBryan Drewery.Ic kldunload -f . 242