1.\" Copyright (c) 2012 2.\" David E. O'Brien <obrien@FreeBSD.org>. All rights reserved. 3.\" 4.\" Redistribution and use in source and binary forms, with or without 5.\" modification, are permitted provided that the following conditions 6.\" are met: 7.\" 1. Redistributions of source code must retain the above copyright 8.\" notice, this list of conditions and the following disclaimer. 9.\" 2. Redistributions in binary form must reproduce the above copyright 10.\" notice, this list of conditions and the following disclaimer in the 11.\" documentation and/or other materials provided with the distribution. 12.\" 3. All advertising materials mentioning features or use of this software 13.\" must display the following acknowledgment: 14.\" This product includes software developed by David E. O'Brien and 15.\" contributors. 16.\" 4. Neither the name of the author nor the names of its contributors 17.\" may be used to endorse or promote products derived from this software 18.\" without specific prior written permission. 19.\" 20.\" THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 21.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 22.\" IMPLIED WARRANTIES OF MERCHANT ABILITY AND FITNESS FOR A PARTICULAR PURPOSE 23.\" ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 24.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 25.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 26.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 27.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 28.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 29.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 30.\" SUCH DAMAGE. 31.\" 32.\" $FreeBSD$ 33.\" 34.Dd August 1, 2023 35.Dt FILEMON 4 36.Os 37.Sh NAME 38.Nm filemon 39.Nd the filemon device 40.Sh SYNOPSIS 41.In dev/filemon/filemon.h 42.Sh DESCRIPTION 43The 44.Nm 45device allows a process to collect file operations data of its children. 46The device 47.Pa /dev/filemon 48responds to two 49.Xr ioctl 2 50calls. 51.Pp 52.Nm 53is not intended to be a security auditing tool. 54Many system calls are not tracked and binaries using a non-native ABI may not 55be fully audited. 56It is intended for auditing of processes for the purpose of determining their 57dependencies using an efficient and easily parsable format. 58An example of this is 59.Xr make 1 60which uses this module with 61.Sy .MAKE.MODE=meta 62to handle incremental builds more smartly. 63.Pp 64System calls are denoted using the following single letters: 65.Pp 66.Bl -tag -width indent -compact 67.It Ql A 68.Xr openat 2 . 69The next log entry may be lacking an absolute path or be inaccurate. 70.It Ql C 71.Xr chdir 2 72.It Ql D 73.Xr unlink 2 74.It Ql E 75.Xr exec 2 76.It Ql F 77.Xr fork 2 , 78.Xr vfork 2 79.It Ql L 80.Xr link 2 , 81.Xr linkat 2 , 82.Xr symlink 2 83.It Ql M 84.Xr rename 2 85.It Ql R 86.Xr open 2 87or 88.Xr openat 2 89for read 90.It Ql W 91.Xr open 2 92or 93.Xr openat 2 94for write 95.It Ql X 96.Xr _exit 2 97.El 98.Pp 99Note that 100.Ql R 101following 102.Ql W 103records can represent a single 104.Xr open 2 105for R/W, 106or two separate 107.Xr open 2 108calls, one for 109.Ql R 110and one for 111.Ql W . 112Note that only successful system calls are captured. 113.Sh IOCTLS 114User mode programs communicate with the 115.Nm 116driver through a number of ioctls which are described below. 117Each takes a single argument. 118.Bl -tag -width ".Dv FILEMON_SET_PID" 119.It Dv FILEMON_SET_FD 120Write the internal tracing buffer to the supplied open file descriptor. 121.It Dv FILEMON_SET_PID 122Child process ID to trace. 123This should normally be done under the control of a parent in the child after 124.Xr fork 2 125but before anything else. 126See the example below. 127.El 128.Sh RETURN VALUES 129.\" .Rv -std ioctl 130The 131.Fn ioctl 132function returns the value 0 if successful; 133otherwise the value \-1 is returned and the global variable 134.Va errno 135is set to indicate the error. 136.Sh ERRORS 137The 138.Fn ioctl 139system call 140with 141.Dv FILEMON_SET_FD 142will fail if: 143.Bl -tag -width Er 144.It Bq Er EEXIST 145The 146.Nm 147handle is already associated with a file descriptor. 148.It Bq Er EINVAL 149The file descriptor has an invalid type and cannot be used for 150tracing. 151.It Bq Er EBADF 152The file descriptor is invalid or not opened for writing. 153.El 154.Pp 155The 156.Fn ioctl 157system call 158with 159.Dv FILEMON_SET_PID 160will fail if: 161.Bl -tag -width Er 162.It Bq Er ESRCH 163No process having the specified process ID exists. 164.It Bq Er EBUSY 165The process ID specified is already being traced and was not the current 166process. 167.El 168.Pp 169The 170.Fn close 171system call on the filemon file descriptor may fail with the errors from 172.Xr write 2 173if any error is encountered while writing the log. 174It may also fail if: 175.Bl -tag -width Er 176.It Bq Er EFAULT 177An invalid address was used for a traced system call argument, resulting in 178no log entry for the system call. 179.It Bq Er ENAMETOOLONG 180An argument for a traced system call was too long, resulting in 181no log entry for the system call. 182.El 183.Sh FILES 184.Bl -tag -width ".Pa /dev/filemon" 185.It Pa /dev/filemon 186.El 187.Sh EXAMPLES 188.Bd -literal 189#include <sys/types.h> 190#include <sys/stat.h> 191#include <sys/wait.h> 192#include <sys/ioctl.h> 193#include <dev/filemon/filemon.h> 194#include <fcntl.h> 195#include <err.h> 196#include <errno.h> 197#include <unistd.h> 198 199static void 200open_filemon(void) 201{ 202 pid_t child, wait_rv; 203 int fm_fd, fm_log; 204 205 if ((fm_fd = open("/dev/filemon", O_RDWR | O_CLOEXEC)) == -1) 206 err(1, "open(\e"/dev/filemon\e", O_RDWR)"); 207 if ((fm_log = open("filemon.out", 208 O_CREAT | O_WRONLY | O_TRUNC | O_CLOEXEC, DEFFILEMODE)) == -1) 209 err(1, "open(filemon.out)"); 210 211 if (ioctl(fm_fd, FILEMON_SET_FD, &fm_log) == -1) 212 err(1, "Cannot set filemon log file descriptor"); 213 214 if ((child = fork()) == 0) { 215 child = getpid(); 216 if (ioctl(fm_fd, FILEMON_SET_PID, &child) == -1) 217 err(1, "Cannot set filemon PID"); 218 /* Do something here. */ 219 } else if (child == -1) 220 err(1, "Cannot fork child"); 221 else { 222 while ((wait_rv = wait(&child)) == -1 && 223 errno == EINTR) 224 ; 225 if (wait_rv == -1) 226 err(1, "cannot wait for child"); 227 close(fm_fd); 228 } 229} 230.Ed 231.Pp 232Creates a file named 233.Pa filemon.out 234and configures the 235.Nm 236device to write the 237.Nm 238buffer contents to it. 239.Sh SEE ALSO 240.Xr dtrace 1 , 241.Xr ktrace 1 , 242.Xr script 1 , 243.Xr truss 1 , 244.Xr ioctl 2 245.Sh HISTORY 246A 247.Nm 248device appeared in 249.Fx 9.1 . 250.Sh BUGS 251Unloading the module may panic the system, thus requires using 252.Ic kldunload -f . 253