127db57a9SDavid E. O'Brien.\" Copyright (c) 2012 227db57a9SDavid E. O'Brien.\" David E. O'Brien <obrien@FreeBSD.org>. All rights reserved. 327db57a9SDavid E. O'Brien.\" 427db57a9SDavid E. O'Brien.\" Redistribution and use in source and binary forms, with or without 527db57a9SDavid E. O'Brien.\" modification, are permitted provided that the following conditions 627db57a9SDavid E. O'Brien.\" are met: 727db57a9SDavid E. O'Brien.\" 1. Redistributions of source code must retain the above copyright 827db57a9SDavid E. O'Brien.\" notice, this list of conditions and the following disclaimer. 927db57a9SDavid E. O'Brien.\" 2. Redistributions in binary form must reproduce the above copyright 1027db57a9SDavid E. O'Brien.\" notice, this list of conditions and the following disclaimer in the 1127db57a9SDavid E. O'Brien.\" documentation and/or other materials provided with the distribution. 1227db57a9SDavid E. O'Brien.\" 3. All advertising materials mentioning features or use of this software 138124c91fSDavid E. O'Brien.\" must display the following acknowledgment: 1427db57a9SDavid E. O'Brien.\" This product includes software developed by David E. O'Brien and 1527db57a9SDavid E. O'Brien.\" contributors. 1627db57a9SDavid E. O'Brien.\" 4. Neither the name of the author nor the names of its contributors 1727db57a9SDavid E. O'Brien.\" may be used to endorse or promote products derived from this software 1827db57a9SDavid E. O'Brien.\" without specific prior written permission. 1927db57a9SDavid E. O'Brien.\" 2027db57a9SDavid E. O'Brien.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 2127db57a9SDavid E. O'Brien.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 2227db57a9SDavid E. O'Brien.\" IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE 2327db57a9SDavid E. O'Brien.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 2427db57a9SDavid E. O'Brien.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 2527db57a9SDavid E. O'Brien.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 2627db57a9SDavid E. O'Brien.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 2727db57a9SDavid E. O'Brien.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 2827db57a9SDavid E. O'Brien.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 2927db57a9SDavid E. O'Brien.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 3027db57a9SDavid E. O'Brien.\" SUCH DAMAGE. 3127db57a9SDavid E. O'Brien.\" 3227db57a9SDavid E. O'Brien.\" $FreeBSD$ 3327db57a9SDavid E. O'Brien.\" 34*e0d84b9eSBryan Drewery.Dd March 21, 2016 3527db57a9SDavid E. O'Brien.Dt FILEMON 4 3627db57a9SDavid E. O'Brien.Os 3727db57a9SDavid E. O'Brien.Sh NAME 3827db57a9SDavid E. O'Brien.Nm filemon 3927db57a9SDavid E. O'Brien.Nd the filemon device 4027db57a9SDavid E. O'Brien.Sh SYNOPSIS 4127db57a9SDavid E. O'Brien.In dev/filemon/filemon.h 4227db57a9SDavid E. O'Brien.Sh DESCRIPTION 4327db57a9SDavid E. O'BrienThe 4427db57a9SDavid E. O'Brien.Nm 4527db57a9SDavid E. O'Briendevice allows a process to collect file operations data of its children. 4627db57a9SDavid E. O'BrienThe device 4727db57a9SDavid E. O'Brien.Pa /dev/filemon 4827db57a9SDavid E. O'Brienresponds to two 4927db57a9SDavid E. O'Brien.Xr ioctl 2 5027db57a9SDavid E. O'Briencalls. 5127db57a9SDavid E. O'Brien.Pp 5222bcf8a6SBryan Drewery.Nm 5322bcf8a6SBryan Dreweryis not intended to be a security auditing tool. 5422bcf8a6SBryan DreweryMany syscalls are not tracked and binaries of foreign ABI will not be fully 5522bcf8a6SBryan Dreweryaudited. 5622bcf8a6SBryan DreweryIt is intended for auditing of processes for the purpose of determining its 5722bcf8a6SBryan Drewerydependencies in an efficient and easily parsable format. 5822bcf8a6SBryan DreweryAn example of this is 5922bcf8a6SBryan Drewery.Xr make 1 6022bcf8a6SBryan Drewerywhich uses this module with 6122bcf8a6SBryan Drewery.Sy .MAKE.MODE=meta 6222bcf8a6SBryan Dreweryto handle incremental builds more smartly. 6322bcf8a6SBryan Drewery.Pp 6427db57a9SDavid E. O'BrienSystem calls are denoted using the following single letters: 65db852c28SDavid E. O'Brien.Pp 6627db57a9SDavid E. O'Brien.Bl -tag -width indent -compact 67db852c28SDavid E. O'Brien.It Ql C 6827db57a9SDavid E. O'Brien.Xr chdir 2 69db852c28SDavid E. O'Brien.It Ql D 7027db57a9SDavid E. O'Brien.Xr unlink 2 71db852c28SDavid E. O'Brien.It Ql E 7227db57a9SDavid E. O'Brien.Xr exec 2 73db852c28SDavid E. O'Brien.It Ql F 7427db57a9SDavid E. O'Brien.Xr fork 2 , 7527db57a9SDavid E. O'Brien.Xr vfork 2 76db852c28SDavid E. O'Brien.It Ql L 7727db57a9SDavid E. O'Brien.Xr link 2 , 7827db57a9SDavid E. O'Brien.Xr linkat 2 , 7927db57a9SDavid E. O'Brien.Xr symlink 2 , 8027db57a9SDavid E. O'Brien.Xr symlinkat 2 81db852c28SDavid E. O'Brien.It Ql M 8227db57a9SDavid E. O'Brien.Xr rename 2 83db852c28SDavid E. O'Brien.It Ql R 8427db57a9SDavid E. O'Brien.Xr open 2 8527db57a9SDavid E. O'Brienfor read 86db852c28SDavid E. O'Brien.It Ql S 8727db57a9SDavid E. O'Brien.Xr stat 2 88db852c28SDavid E. O'Brien.It Ql W 8927db57a9SDavid E. O'Brien.Xr open 2 9027db57a9SDavid E. O'Brienfor write 91db852c28SDavid E. O'Brien.It Ql X 9227db57a9SDavid E. O'Brien.Xr _exit 2 9327db57a9SDavid E. O'Brien.El 9427db57a9SDavid E. O'Brien.Pp 9527db57a9SDavid E. O'BrienNote that 96db852c28SDavid E. O'Brien.Ql R 9727db57a9SDavid E. O'Brienfollowing 98db852c28SDavid E. O'Brien.Ql W 9927db57a9SDavid E. O'Brienrecords can represent a single 10027db57a9SDavid E. O'Brien.Xr open 2 10127db57a9SDavid E. O'Brienfor R/W, 1028124c91fSDavid E. O'Brienor two separate 10327db57a9SDavid E. O'Brien.Xr open 2 10427db57a9SDavid E. O'Briencalls, one for 105db852c28SDavid E. O'Brien.Ql R 10627db57a9SDavid E. O'Brienand one for 107db852c28SDavid E. O'Brien.Ql W . 1088124c91fSDavid E. O'BrienNote that only successful system calls are captured. 10927db57a9SDavid E. O'Brien.Sh IOCTLS 110d5064cc2SJoel DahlUser mode programs communicate with the 111db852c28SDavid E. O'Brien.Nm 112db852c28SDavid E. O'Briendriver through a number of ioctls which are described below. 11327db57a9SDavid E. O'BrienEach takes a single argument. 114db852c28SDavid E. O'Brien.Bl -tag -width ".Dv FILEMON_SET_PID" 11527db57a9SDavid E. O'Brien.It Dv FILEMON_SET_FD 11627db57a9SDavid E. O'BrienWrite the internal tracing buffer to the supplied open file descriptor. 117d5064cc2SJoel Dahl.It Dv FILEMON_SET_PID 11827db57a9SDavid E. O'BrienChild process ID to trace. 119*e0d84b9eSBryan DreweryThis should normally be done under the control of a parent in the child after 120*e0d84b9eSBryan Drewery.Xr fork 2 121*e0d84b9eSBryan Drewerybut before anything else. 122*e0d84b9eSBryan DrewerySee the example below. 12327db57a9SDavid E. O'Brien.El 12427db57a9SDavid E. O'Brien.Sh RETURN VALUES 125db852c28SDavid E. O'Brien.\" .Rv -std ioctl 126db852c28SDavid E. O'BrienThe 127db852c28SDavid E. O'Brien.Fn ioctl 128db852c28SDavid E. O'Brienfunction returns the value 0 if successful; 129db852c28SDavid E. O'Brienotherwise the value \-1 is returned and the global variable 130db852c28SDavid E. O'Brien.Va errno 131db852c28SDavid E. O'Brienis set to indicate the error. 132044fd543SBryan Drewery.Sh ERRORS 133044fd543SBryan DreweryThe 134044fd543SBryan Drewery.Fn ioctl 135044fd543SBryan Drewerysystem call 136044fd543SBryan Drewerywith 137044fd543SBryan Drewery.Dv FILEMON_SET_FD 138044fd543SBryan Drewerywill fail if: 139044fd543SBryan Drewery.Bl -tag -width Er 140044fd543SBryan Drewery.It Bq Er EEXIST 141044fd543SBryan DreweryThe 142044fd543SBryan Drewery.Nm 143044fd543SBryan Dreweryhandle is already associated with a file descriptor. 144044fd543SBryan Drewery.El 145*e0d84b9eSBryan Drewery.Pp 146*e0d84b9eSBryan DreweryThe 147*e0d84b9eSBryan Drewery.Fn ioctl 148*e0d84b9eSBryan Drewerysystem call 149*e0d84b9eSBryan Drewerywith 150*e0d84b9eSBryan Drewery.Dv FILEMON_SET_PID 151*e0d84b9eSBryan Drewerywill fail if: 152*e0d84b9eSBryan Drewery.Bl -tag -width Er 153*e0d84b9eSBryan Drewery.It Bq Er ESRCH 154*e0d84b9eSBryan DreweryNo process having the specified process ID exists. 155*e0d84b9eSBryan Drewery.It Bq Er EBUSY 156*e0d84b9eSBryan DreweryThe process ID specified is already being traced and was not the current 157*e0d84b9eSBryan Dreweryprocess. 158*e0d84b9eSBryan Drewery.El 159d5064cc2SJoel Dahl.Sh FILES 160db852c28SDavid E. O'Brien.Bl -tag -width ".Pa /dev/filemon" 161d5064cc2SJoel Dahl.It Pa /dev/filemon 162d5064cc2SJoel Dahl.El 16327db57a9SDavid E. O'Brien.Sh EXAMPLES 164d5064cc2SJoel Dahl.Bd -literal 16527db57a9SDavid E. O'Brien#include <sys/types.h> 16627db57a9SDavid E. O'Brien#include <sys/stat.h> 16727db57a9SDavid E. O'Brien#include <sys/wait.h> 16827db57a9SDavid E. O'Brien#include <sys/ioctl.h> 16927db57a9SDavid E. O'Brien#include <dev/filemon/filemon.h> 17027db57a9SDavid E. O'Brien#include <fcntl.h> 17127db57a9SDavid E. O'Brien#include <err.h> 1720ec5ac10SSergey Kandaurov#include <unistd.h> 17327db57a9SDavid E. O'Brien 17427db57a9SDavid E. O'Brienstatic void 17527db57a9SDavid E. O'Brienopen_filemon(void) 17627db57a9SDavid E. O'Brien{ 17727db57a9SDavid E. O'Brien pid_t child; 17827db57a9SDavid E. O'Brien int fm_fd, fm_log; 17927db57a9SDavid E. O'Brien 1800ec5ac10SSergey Kandaurov if ((fm_fd = open("/dev/filemon", O_RDWR | O_CLOEXEC)) == -1) 181db852c28SDavid E. O'Brien err(1, "open(\e"/dev/filemon\e", O_RDWR)"); 18227db57a9SDavid E. O'Brien if ((fm_log = open("filemon.out", 1830ec5ac10SSergey Kandaurov O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, DEFFILEMODE)) == -1) 18427db57a9SDavid E. O'Brien err(1, "open(filemon.out)"); 18527db57a9SDavid E. O'Brien 18630a39288SDavid E. O'Brien if (ioctl(fm_fd, FILEMON_SET_FD, &fm_log) == -1) 18727db57a9SDavid E. O'Brien err(1, "Cannot set filemon log file descriptor"); 18827db57a9SDavid E. O'Brien 18927db57a9SDavid E. O'Brien if ((child = fork()) == 0) { 19030a39288SDavid E. O'Brien child = getpid(); 19130a39288SDavid E. O'Brien if (ioctl(fm_fd, FILEMON_SET_PID, &child) == -1) 19230a39288SDavid E. O'Brien err(1, "Cannot set filemon PID"); 19327db57a9SDavid E. O'Brien /* Do something here. */ 19427db57a9SDavid E. O'Brien } else { 19527db57a9SDavid E. O'Brien wait(&child); 19627db57a9SDavid E. O'Brien close(fm_fd); 19727db57a9SDavid E. O'Brien } 19827db57a9SDavid E. O'Brien} 19927db57a9SDavid E. O'Brien.Ed 20027db57a9SDavid E. O'Brien.Pp 20127db57a9SDavid E. O'BrienCreates a file named 20227db57a9SDavid E. O'Brien.Pa filemon.out 20327db57a9SDavid E. O'Brienand configures the 20427db57a9SDavid E. O'Brien.Nm 205db852c28SDavid E. O'Briendevice to write the 206db852c28SDavid E. O'Brien.Nm 207db852c28SDavid E. O'Brienbuffer contents to it. 20827db57a9SDavid E. O'Brien.Sh SEE ALSO 20927db57a9SDavid E. O'Brien.Xr dtrace 1 , 21027db57a9SDavid E. O'Brien.Xr ktrace 1 , 211d630b56dSDavid E. O'Brien.Xr script 1 , 2128124c91fSDavid E. O'Brien.Xr truss 1 , 2138124c91fSDavid E. O'Brien.Xr ioctl 2 21427db57a9SDavid E. O'Brien.Sh HISTORY 21527db57a9SDavid E. O'BrienA 21627db57a9SDavid E. O'Brien.Nm 21727db57a9SDavid E. O'Briendevice appeared in 21827db57a9SDavid E. O'Brien.Fx 9.1 . 21922bcf8a6SBryan Drewery.Sh BUGS 2204039c531SBryan DreweryUnloading the module may panic the system, thus requires using 2214039c531SBryan Drewery.Ic kldunload -f . 222