summaryrefslogtreecommitdiffstats
path: root/share/man/man4/filemon.4
diff options
context:
space:
mode:
Diffstat (limited to 'share/man/man4/filemon.4')
-rw-r--r--share/man/man4/filemon.455
1 files changed, 42 insertions, 13 deletions
diff --git a/share/man/man4/filemon.4 b/share/man/man4/filemon.4
index 3287a47..0f1b60e 100644
--- a/share/man/man4/filemon.4
+++ b/share/man/man4/filemon.4
@@ -31,7 +31,7 @@
.\"
.\" $FreeBSD$
.\"
-.Dd March 9, 2016
+.Dd March 22, 2016
.Dt FILEMON 4
.Os
.Sh NAME
@@ -51,7 +51,7 @@ calls.
.Pp
.Nm
is not intended to be a security auditing tool.
-Many syscalls are not tracked and binaries of foreign ABI will not be fully
+Many system calls are not tracked and binaries of foreign ABI will not be fully
audited.
It is intended for auditing of processes for the purpose of determining its
dependencies in an efficient and easily parsable format.
@@ -64,6 +64,9 @@ to handle incremental builds more smartly.
System calls are denoted using the following single letters:
.Pp
.Bl -tag -width indent -compact
+.It Ql A
+.Xr openat 2 .
+The next log entry may be lacking an absolute path or be inaccurate.
.It Ql C
.Xr chdir 2
.It Ql D
@@ -82,11 +85,13 @@ System calls are denoted using the following single letters:
.Xr rename 2
.It Ql R
.Xr open 2
+or
+.Xr openat 2
for read
-.It Ql S
-.Xr stat 2
.It Ql W
.Xr open 2
+or
+.Xr openat 2
for write
.It Ql X
.Xr _exit 2
@@ -116,6 +121,10 @@ Each takes a single argument.
Write the internal tracing buffer to the supplied open file descriptor.
.It Dv FILEMON_SET_PID
Child process ID to trace.
+This should normally be done under the control of a parent in the child after
+.Xr fork 2
+but before anything else.
+See the example below.
.El
.Sh RETURN VALUES
.\" .Rv -std ioctl
@@ -138,6 +147,35 @@ The
.Nm
handle is already associated with a file descriptor.
.El
+.Pp
+The
+.Fn ioctl
+system call
+with
+.Dv FILEMON_SET_PID
+will fail if:
+.Bl -tag -width Er
+.It Bq Er ESRCH
+No process having the specified process ID exists.
+.It Bq Er EBUSY
+The process ID specified is already being traced and was not the current
+process.
+.El
+.Pp
+The
+.Fn close
+system call on the filemon file descriptor may fail with the errors from
+.Xr write 2
+if any error is encountered while writing the log.
+It may also fail if:
+.Bl -tag -width Er
+.It Bq Er EFAULT
+An invalid address was used for a traced system call argument, resulting in
+no log entry for the system call.
+.It Bq Er ENAMETOOLONG
+An argument for a traced system call was too long, resulting in
+no log entry for the system call.
+.El
.Sh FILES
.Bl -tag -width ".Pa /dev/filemon"
.It Pa /dev/filemon
@@ -199,14 +237,5 @@ A
device appeared in
.Fx 9.1 .
.Sh BUGS
-Loading
-.Nm
-may reduce system performance for the noted syscalls.
-.Pp
-Only children of the set process are logged.
-Processes can escape being traced by double forking.
-This is not seen as a problem as the intended use is build monitoring, which
-does not make sense to have daemons for.
-.Pp
Unloading the module may panic the system, thus requires using
.Ic kldunload -f .
OpenPOWER on IntegriCloud