d/freebsd-dev
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2657d8e33e
freebsd-dev/sys/dev/filemon/filemon_wrapper.c

462 lines
13 KiB
C
Raw Normal View History

Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
/*-
sys/dev: further adoption of SPDX licensing ID tags. Mainly focus on files that use BSD 2-Clause license, however the tool I was using misidentified many licenses so this was mostly a manual - error prone - task. The Software Package Data Exchange (SPDX) group provides a specification to make it easier for automated tools to detect and summarize well known opensource licenses. We are gradually adopting the specification, noting that the tags are considered only advisory and do not, in any way, superceed or replace the license texts.
2017-11-27 14:52:40 +00:00
* SPDX-License-Identifier: BSD-2-Clause-FreeBSD
*
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
* Copyright (c) 2011, David E. O'Brien.
* Copyright (c) 2009-2011, Juniper Networks, Inc.
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
* Copyright (c) 2015-2016, EMC Corp.
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY JUNIPER NETWORKS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL JUNIPER NETWORKS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/cdefs.h>
__FBSDID("$FreeBSD$");
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
#include <sys/eventhandler.h>
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
#include <sys/filedesc.h>
#include <sys/imgact.h>
exec: Cease tracing if credentials will change with the new image. This also prevents tracing to a P_INEXEC process since it could race with other processes attaching to it in filemon_event_process_exec() due to the filemon_get_proc() race of incrementing ref and then locking the filemon. With the no-P_INEXEC invariant in place the p_filemon may only be the same or NULL when trying to drop it in filemon_event_process_exec(). MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D6545
2016-05-27 23:57:43 +00:00
#include <sys/priv.h>
filemon_pid_check needs to hold proctree_lock Reviewed by: kib MFC after: few days
2015-06-19 17:19:20 +00:00
#include <sys/sx.h>
Support all architectures by just using sysent. PowerPC64 has two different ABIs, neither of which is elf64_freebsd_sysvec. Using sysent and freebsd32_sysent achieves the same effect. X-MFC-With: r301130 MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
2016-06-04 17:39:42 +00:00
#include <sys/sysent.h>
filemon: Use process_exec EVENTHANDLER to capture sys_execve. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 21:45:25 +00:00
#include <sys/vnode.h>
filemon_pid_check needs to hold proctree_lock Reviewed by: kib MFC after: few days
2015-06-19 17:19:20 +00:00
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
#include <machine/stdarg.h>
static void filemon_output_event(struct filemon *filemon, const char *fmt, ...)
__printflike(2, 3);
filemon: Use process_exec EVENTHANDLER to capture sys_execve. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 21:45:25 +00:00
static eventhandler_tag filemon_exec_tag;
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
static eventhandler_tag filemon_exit_tag;
filemon: Trace fork via process_fork event. This avoids needing ugly hooks and needing both a vfork and fork handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 01:17:55 +00:00
static eventhandler_tag filemon_fork_tag;
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
static void
filemon_output(struct filemon *filemon, char *msg, size_t len)
{
struct uio auio;
struct iovec aiov;
Return any log write failure encountered when closing the filemon fd. Discussed with: sjg, markj Reviewed by: sjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:07 +00:00
int error;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
if (filemon->fp == NULL)
return;
aiov.iov_base = msg;
aiov.iov_len = len;
auio.uio_iov = &aiov;
auio.uio_iovcnt = 1;
auio.uio_resid = len;
auio.uio_segflg = UIO_SYSSPACE;
auio.uio_rw = UIO_WRITE;
auio.uio_td = curthread;
auio.uio_offset = (off_t) -1;
Only call bwillwrite() for logging to vnodes, as other fo_write() calls do. MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
2016-03-07 21:10:19 +00:00
if (filemon->fp->f_type == DTYPE_VNODE)
bwillwrite();
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Write to the log using the tracer's credentials. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-05-27 23:57:53 +00:00
error = fo_write(filemon->fp, &auio, filemon->cred, 0, curthread);
Don't truncate existing error when writing the log. Suggested by: markj MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-05-27 23:58:00 +00:00
if (error != 0 && filemon->error == 0)
Return any log write failure encountered when closing the filemon fd. Discussed with: sjg, markj Reviewed by: sjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:07 +00:00
filemon->error = error;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
static void
filemon_output_event(struct filemon *filemon, const char *fmt, ...)
{
va_list ap;
size_t len;
va_start(ap, fmt);
len = vsnprintf(filemon->msgbufr, sizeof(filemon->msgbufr), fmt, ap);
va_end(ap);
/* The event is truncated but still worth logging. */
if (len >= sizeof(filemon->msgbufr))
len = sizeof(filemon->msgbufr) - 1;
filemon_output(filemon, filemon->msgbufr, len);
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
static int
filemon_wrapper_chdir(struct thread *td, struct chdir_args *uap)
{
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
int error, ret;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
struct filemon *filemon;
if ((ret = sys_chdir(td, uap)) == 0) {
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
if ((filemon = filemon_proc_get(curproc)) != NULL) {
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
if ((error = copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), NULL)) != 0) {
filemon->error = error;
goto copyfail;
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "C %d %s\n",
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
curproc->p_pid, filemon->fname1);
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
copyfail:
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
return (ret);
}
filemon: Use process_exec EVENTHANDLER to capture sys_execve. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 21:45:25 +00:00
static void
filemon_event_process_exec(void *arg __unused, struct proc *p,
struct image_params *imgp)
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
{
struct filemon *filemon;
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
if ((filemon = filemon_proc_get(p)) != NULL) {
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "E %d %s\n",
filemon exec: Use imgp->execpath rather than vn_fullpath(9). This will be more accurate as the actual name is provided if ran from an absolute path in do_execve(). MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-05-26 23:27:08 +00:00
p->p_pid,
imgp->execpath != NULL ? imgp->execpath : "<unknown>");
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
exec: Cease tracing if credentials will change with the new image. This also prevents tracing to a P_INEXEC process since it could race with other processes attaching to it in filemon_event_process_exec() due to the filemon_get_proc() race of incrementing ref and then locking the filemon. With the no-P_INEXEC invariant in place the p_filemon may only be the same or NULL when trying to drop it in filemon_event_process_exec(). MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D6545
2016-05-27 23:57:43 +00:00
/* If the credentials changed then cease tracing. */
if (imgp->newcred != NULL &&
imgp->credential_setid &&
Remove unused argument to priv_check_cred. Patch mostly generated with cocinnelle: @@ expression E1,E2; @@ - priv_check_cred(E1,E2,0) + priv_check_cred(E1,E2) Sponsored by: The FreeBSD Foundation
2018-12-11 19:32:16 +00:00
priv_check_cred(filemon->cred, PRIV_DEBUG_DIFFCRED) != 0) {
exec: Cease tracing if credentials will change with the new image. This also prevents tracing to a P_INEXEC process since it could race with other processes attaching to it in filemon_event_process_exec() due to the filemon_get_proc() race of incrementing ref and then locking the filemon. With the no-P_INEXEC invariant in place the p_filemon may only be the same or NULL when trying to drop it in filemon_event_process_exec(). MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D6545
2016-05-27 23:57:43 +00:00
/*
* It may have changed to NULL already, but
* will not be re-attached by anything else.
*/
if (p->p_filemon != NULL) {
KASSERT(p->p_filemon == filemon,
("%s: proc %p didn't have expected"
" filemon %p", __func__, p, filemon));
filemon_proc_drop(p);
}
}
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
static void
Add const to input-only char * arguments. These arguments are mostly paths handled by NAMEI*() macros which already take const char * arguments. This change improves the match between syscalls.master and the public declerations of system calls. Reviewed by: kib (prior version) Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D17812
2018-11-02 20:50:22 +00:00
_filemon_wrapper_openat(struct thread *td, const char *upath, int flags,
int fd)
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
{
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
int error;
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
struct file *fp;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
struct filemon *filemon;
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
char *atpath, *freepath;
cap_rights_t rights;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
if ((filemon = filemon_proc_get(curproc)) != NULL) {
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
atpath = "";
freepath = NULL;
fp = NULL;
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
if ((error = copyinstr(upath, filemon->fname1,
sizeof(filemon->fname1), NULL)) != 0) {
filemon->error = error;
goto copyfail;
}
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
if (filemon->fname1[0] != '/' && fd != AT_FDCWD) {
/*
* rats - we cannot do too much about this.
* the trace should show a dir we read
* recently.. output an A record as a clue
* until we can do better.
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
* XXX: This may be able to come out with
* the namecache lookup now.
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
*/
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "A %d %s\n",
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
curproc->p_pid, filemon->fname1);
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
/*
* Try to resolve the path from the vnode using the
* namecache. It may be inaccurate, but better
* than nothing.
*/
if (getvnode(td, fd,
cap_rights_init(&rights, CAP_LOOKUP), &fp) == 0) {
vn_fullpath(td, fp->f_vnode, &atpath,
&freepath);
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
if (flags & O_RDWR) {
/*
* We'll get the W record below, but need
* to also output an R to distinguish from
* O_WRONLY.
*/
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "R %d %s%s%s\n",
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
curproc->p_pid, atpath,
atpath[0] != '\0' ? "/" : "", filemon->fname1);
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "%c %d %s%s%s\n",
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
(flags & O_ACCMODE) ? 'W':'R',
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
curproc->p_pid, atpath,
atpath[0] != '\0' ? "/" : "", filemon->fname1);
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
copyfail:
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
filemon_drop(filemon);
Attempt to use the namecache for openat(2) path resolution. This finishes the work done in D2810. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:53 +00:00
if (fp != NULL)
fdrop(fp, td);
free(freepath, M_TEMP);
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
Latest clang uses openat(2). If the pathname is absolute or dirfd is AT_FDCWD we can handle it exactly like open(2). Otherwise we output an A record to indicate that the path of an open directory needs to be used (earlier in the trace). Differential Revision: D2810 Reviewed by: jhb MFC after: a bit
2015-06-14 16:31:06 +00:00
static int
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
filemon_wrapper_open(struct thread *td, struct open_args *uap)
Latest clang uses openat(2). If the pathname is absolute or dirfd is AT_FDCWD we can handle it exactly like open(2). Otherwise we output an A record to indicate that the path of an open directory needs to be used (earlier in the trace). Differential Revision: D2810 Reviewed by: jhb MFC after: a bit
2015-06-14 16:31:06 +00:00
{
int ret;
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
if ((ret = sys_open(td, uap)) == 0)
_filemon_wrapper_openat(td, uap->path, uap->flags, AT_FDCWD);
Latest clang uses openat(2). If the pathname is absolute or dirfd is AT_FDCWD we can handle it exactly like open(2). Otherwise we output an A record to indicate that the path of an open directory needs to be used (earlier in the trace). Differential Revision: D2810 Reviewed by: jhb MFC after: a bit
2015-06-14 16:31:06 +00:00
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
return (ret);
}
Latest clang uses openat(2). If the pathname is absolute or dirfd is AT_FDCWD we can handle it exactly like open(2). Otherwise we output an A record to indicate that the path of an open directory needs to be used (earlier in the trace). Differential Revision: D2810 Reviewed by: jhb MFC after: a bit
2015-06-14 16:31:06 +00:00
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
static int
filemon_wrapper_openat(struct thread *td, struct openat_args *uap)
{
int ret;
Latest clang uses openat(2). If the pathname is absolute or dirfd is AT_FDCWD we can handle it exactly like open(2). Otherwise we output an A record to indicate that the path of an open directory needs to be used (earlier in the trace). Differential Revision: D2810 Reviewed by: jhb MFC after: a bit
2015-06-14 16:31:06 +00:00
Consolidate open(2) and openat(2) code. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 20:29:43 +00:00
if ((ret = sys_openat(td, uap)) == 0)
_filemon_wrapper_openat(td, uap->path, uap->flag, uap->fd);
Latest clang uses openat(2). If the pathname is absolute or dirfd is AT_FDCWD we can handle it exactly like open(2). Otherwise we output an A record to indicate that the path of an open directory needs to be used (earlier in the trace). Differential Revision: D2810 Reviewed by: jhb MFC after: a bit
2015-06-14 16:31:06 +00:00
return (ret);
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
static int
filemon_wrapper_rename(struct thread *td, struct rename_args *uap)
{
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
int error, ret;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
struct filemon *filemon;
if ((ret = sys_rename(td, uap)) == 0) {
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
if ((filemon = filemon_proc_get(curproc)) != NULL) {
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
if (((error = copyinstr(uap->from, filemon->fname1,
sizeof(filemon->fname1), NULL)) != 0) ||
((error = copyinstr(uap->to, filemon->fname2,
sizeof(filemon->fname2), NULL)) != 0)) {
filemon->error = error;
goto copyfail;
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "M %d '%s' '%s'\n",
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
curproc->p_pid, filemon->fname1, filemon->fname2);
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
copyfail:
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
return (ret);
}
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
static void
Add const to input-only char * arguments. These arguments are mostly paths handled by NAMEI*() macros which already take const char * arguments. This change improves the match between syscalls.master and the public declerations of system calls. Reviewed by: kib (prior version) Obtained from: CheriBSD Sponsored by: DARPA, AFRL Differential Revision: https://reviews.freebsd.org/D17812
2018-11-02 20:50:22 +00:00
_filemon_wrapper_link(struct thread *td, const char *upath1,
const char *upath2)
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
{
struct filemon *filemon;
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
int error;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
if ((filemon = filemon_proc_get(curproc)) != NULL) {
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
if (((error = copyinstr(upath1, filemon->fname1,
sizeof(filemon->fname1), NULL)) != 0) ||
((error = copyinstr(upath2, filemon->fname2,
sizeof(filemon->fname2), NULL)) != 0)) {
filemon->error = error;
goto copyfail;
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "L %d '%s' '%s'\n",
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
curproc->p_pid, filemon->fname1, filemon->fname2);
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
copyfail:
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
static int
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
filemon_wrapper_link(struct thread *td, struct link_args *uap)
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
{
int ret;
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
if ((ret = sys_link(td, uap)) == 0)
_filemon_wrapper_link(td, uap->path, uap->link);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
return (ret);
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
static int
filemon_wrapper_symlink(struct thread *td, struct symlink_args *uap)
{
int ret;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
if ((ret = sys_symlink(td, uap)) == 0)
_filemon_wrapper_link(td, uap->path, uap->link);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
return (ret);
}
static int
filemon_wrapper_linkat(struct thread *td, struct linkat_args *uap)
{
int ret;
Consolidate common link(2) logic. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-21 23:22:19 +00:00
if ((ret = sys_linkat(td, uap)) == 0)
_filemon_wrapper_link(td, uap->path1, uap->path2);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
return (ret);
}
static void
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
filemon_event_process_exit(void *arg __unused, struct proc *p)
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
{
struct filemon *filemon;
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
if ((filemon = filemon_proc_get(p)) != NULL) {
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "X %d %d %d\n",
p->p_pid, p->p_xexit, p->p_xsig);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
/*
* filemon_untrack_processes() may have dropped this p_filemon
* already while in filemon_proc_get() before acquiring the
* filemon lock.
*/
KASSERT(p->p_filemon == NULL || p->p_filemon == filemon,
("%s: p %p was attached while exiting, expected "
"filemon %p or NULL", __func__, p, filemon));
if (p->p_filemon == filemon)
filemon_proc_drop(p);
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
static int
filemon_wrapper_unlink(struct thread *td, struct unlink_args *uap)
{
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
int error, ret;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
struct filemon *filemon;
if ((ret = sys_unlink(td, uap)) == 0) {
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
if ((filemon = filemon_proc_get(curproc)) != NULL) {
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
if ((error = copyinstr(uap->path, filemon->fname1,
sizeof(filemon->fname1), NULL)) != 0) {
filemon->error = error;
goto copyfail;
}
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "D %d %s\n",
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
curproc->p_pid, filemon->fname1);
Handle copyin failures. Skip the log entry as there is nothing good to write out. Don't fail the syscall though since it already succeeded. There's no reason filemon's tracing failure should fail the already-succeeded syscall. Record the error for later to return from close(2) on the filemon devfs file descriptor. Discussed with: markj, sjg, kib (briefly with kib) Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-03-22 22:41:14 +00:00
copyfail:
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
return (ret);
}
filemon: Trace fork via process_fork event. This avoids needing ugly hooks and needing both a vfork and fork handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 01:17:55 +00:00
static void
filemon_event_process_fork(void *arg __unused, struct proc *p1,
Follow-up r294967: Mark flags unused. X-MFC-With: r294967 MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 01:19:19 +00:00
struct proc *p2, int flags __unused)
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
{
struct filemon *filemon;
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
if ((filemon = filemon_proc_get(p1)) != NULL) {
Fix some filemon path logging issues. - Properly handle snprintf return value for truncation and avoid overflowing the later write with the bogus length. - Increase the msgbufr size to handle a rename of 2 full files. The larger allocation causes a slight performance hit which will be mitigated in the future. A rewrite with sbufs will likely be done as well. Reported by: Ilja Van Sprundel <ivansprundel@ioactive.com> MFC after: 2 weeks Approved by: so (gtetlow) Reviewed by: kib Sponsored by: Dell EMC Differential Revision: https://reviews.freebsd.org/D16098
2018-08-03 19:24:04 +00:00
filemon_output_event(filemon, "F %d %d\n",
filemon: Trace fork via process_fork event. This avoids needing ugly hooks and needing both a vfork and fork handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 01:17:55 +00:00
p1->p_pid, p2->p_pid);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Track filemon usage via a proc.p_filemon pointer rather than its own lists. - proc.p_filemon is added which is protected by PROC_LOCK. This improves performance and avoids double-fork issues, taking allproc_lock while in syscalls, and walking the process tree in syscalls. A particular proc.p_filemon can only be changed to NULL or another filemon, or the filemon inherited, while the filemon->lock is held. - Filemon are reference counted. On the last reference the log will be closed. - When closing the devfs file handle, the filemon will be detached from all processes and inheritance prevented. - Disallow attaching to a process already being traced since filemon is typically intended to be used on children only. This is allowed for curproc as bmake relies on this behavior for rare cases when combining .MAKE with .META. - Detach any previously tracked process on ioctl(FILEMON_SET_PID). - Handle error from devfs_set_cdevpriv() in filemon_open(). - The global filemon lock and lists are removed. - A free list is no longer kept. Previously this list was forever-expanding and never garbage cleaned. - No longer loses track of double-forks. If the process holding the filemon handle closes it will close the log rather than wait on a daemonized process, but it will log all activity until it closes its handle. The filemon will be removed from the process and not inherited. - A separate process count is kept only as an optimization for forced detachment to avoid taking allproc_lock and walking the entire process tree. - struct filemon access is protected by sx(9) filemon->lock as it was before. - Add more comments and KASSERTS. MFC after: 2 weeks Reviewed by: kib, mjg, markj (all on previous versions) Sponsored by: EMC / Isilon Storage Division Differential Revision: https://reviews.freebsd.org/D5520
2016-03-21 20:29:27 +00:00
/*
* filemon_untrack_processes() or
* filemon_ioctl(FILEMON_SET_PID) may have changed the parent's
* p_filemon while in filemon_proc_get() before acquiring the
* filemon lock. Only inherit if the parent is still traced by
* this filemon.
*/
if (p1->p_filemon == filemon) {
PROC_LOCK(p2);
/*
* It may have been attached to already by a new
* filemon.
*/
if (p2->p_filemon == NULL) {
p2->p_filemon = filemon_acquire(filemon);
++filemon->proccnt;
}
PROC_UNLOCK(p2);
}
filemon_drop(filemon);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
}
static void
filemon_wrapper_install(void)
{
Support all architectures by just using sysent. PowerPC64 has two different ABIs, neither of which is elf64_freebsd_sysvec. Using sysent and freebsd32_sysent achieves the same effect. X-MFC-With: r301130 MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
2016-06-04 17:39:42 +00:00
sysent[SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
sysent[SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
sysent[SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
sysent[SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
sysent[SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
sysent[SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
sysent[SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
sysent[SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Cleanup COMPAT_FREEBSD32 support. This is a NOP. The COMPAT_IA32 was renamed in r205014 to COMPAT_FREEBSD32 and COMPAT_ARCH32 does not seem to have existed. Also remove some leftovers from the sysent rework in r301404. Include freebsd32_util.h for the freebsd32_sysent prototype. X-MFC-With: r301404 Reported by: kib MFC after: 3 days Sponsored by: EMC / Isilon Storage Division
2016-06-05 18:16:33 +00:00
#if defined(COMPAT_FREEBSD32)
Support all architectures by just using sysent. PowerPC64 has two different ABIs, neither of which is elf64_freebsd_sysvec. Using sysent and freebsd32_sysent achieves the same effect. X-MFC-With: r301130 MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
2016-06-04 17:39:42 +00:00
freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *) filemon_wrapper_chdir;
freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *) filemon_wrapper_open;
freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *) filemon_wrapper_openat;
freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *) filemon_wrapper_rename;
freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *) filemon_wrapper_unlink;
freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *) filemon_wrapper_link;
freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *) filemon_wrapper_symlink;
freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *) filemon_wrapper_linkat;
Cleanup COMPAT_FREEBSD32 support. This is a NOP. The COMPAT_IA32 was renamed in r205014 to COMPAT_FREEBSD32 and COMPAT_ARCH32 does not seem to have existed. Also remove some leftovers from the sysent rework in r301404. Include freebsd32_util.h for the freebsd32_sysent prototype. X-MFC-With: r301404 Reported by: kib MFC after: 3 days Sponsored by: EMC / Isilon Storage Division
2016-06-05 18:16:33 +00:00
#endif /* COMPAT_FREEBSD32 */
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
filemon: Use process_exec EVENTHANDLER to capture sys_execve. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 21:45:25 +00:00
filemon_exec_tag = EVENTHANDLER_REGISTER(process_exec,
filemon_event_process_exec, NULL, EVENTHANDLER_PRI_LAST);
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
filemon_exit_tag = EVENTHANDLER_REGISTER(process_exit,
filemon_event_process_exit, NULL, EVENTHANDLER_PRI_LAST);
filemon: Trace fork via process_fork event. This avoids needing ugly hooks and needing both a vfork and fork handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 01:17:55 +00:00
filemon_fork_tag = EVENTHANDLER_REGISTER(process_fork,
filemon_event_process_fork, NULL, EVENTHANDLER_PRI_LAST);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
static void
filemon_wrapper_deinstall(void)
{
Support all architectures by just using sysent. PowerPC64 has two different ABIs, neither of which is elf64_freebsd_sysvec. Using sysent and freebsd32_sysent achieves the same effect. X-MFC-With: r301130 MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
2016-06-04 17:39:42 +00:00
sysent[SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
sysent[SYS_open].sy_call = (sy_call_t *)sys_open;
sysent[SYS_openat].sy_call = (sy_call_t *)sys_openat;
sysent[SYS_rename].sy_call = (sy_call_t *)sys_rename;
sysent[SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
sysent[SYS_link].sy_call = (sy_call_t *)sys_link;
sysent[SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
sysent[SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
Cleanup COMPAT_FREEBSD32 support. This is a NOP. The COMPAT_IA32 was renamed in r205014 to COMPAT_FREEBSD32 and COMPAT_ARCH32 does not seem to have existed. Also remove some leftovers from the sysent rework in r301404. Include freebsd32_util.h for the freebsd32_sysent prototype. X-MFC-With: r301404 Reported by: kib MFC after: 3 days Sponsored by: EMC / Isilon Storage Division
2016-06-05 18:16:33 +00:00
#if defined(COMPAT_FREEBSD32)
Support all architectures by just using sysent. PowerPC64 has two different ABIs, neither of which is elf64_freebsd_sysvec. Using sysent and freebsd32_sysent achieves the same effect. X-MFC-With: r301130 MFC after: 1 week Sponsored by: EMC / Isilon Storage Division
2016-06-04 17:39:42 +00:00
freebsd32_sysent[FREEBSD32_SYS_chdir].sy_call = (sy_call_t *)sys_chdir;
freebsd32_sysent[FREEBSD32_SYS_open].sy_call = (sy_call_t *)sys_open;
freebsd32_sysent[FREEBSD32_SYS_openat].sy_call = (sy_call_t *)sys_openat;
freebsd32_sysent[FREEBSD32_SYS_rename].sy_call = (sy_call_t *)sys_rename;
freebsd32_sysent[FREEBSD32_SYS_unlink].sy_call = (sy_call_t *)sys_unlink;
freebsd32_sysent[FREEBSD32_SYS_link].sy_call = (sy_call_t *)sys_link;
freebsd32_sysent[FREEBSD32_SYS_symlink].sy_call = (sy_call_t *)sys_symlink;
freebsd32_sysent[FREEBSD32_SYS_linkat].sy_call = (sy_call_t *)sys_linkat;
Cleanup COMPAT_FREEBSD32 support. This is a NOP. The COMPAT_IA32 was renamed in r205014 to COMPAT_FREEBSD32 and COMPAT_ARCH32 does not seem to have existed. Also remove some leftovers from the sysent rework in r301404. Include freebsd32_util.h for the freebsd32_sysent prototype. X-MFC-With: r301404 Reported by: kib MFC after: 3 days Sponsored by: EMC / Isilon Storage Division
2016-06-05 18:16:33 +00:00
#endif /* COMPAT_FREEBSD32 */
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
filemon: Use process_exec EVENTHANDLER to capture sys_execve. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 21:45:25 +00:00
EVENTHANDLER_DEREGISTER(process_exec, filemon_exec_tag);
filemon: Use process_exit EVENTHANDLER to capture process exit. This fixes some cases where a process could exit without being untracked by filemon. Reported by: mjg MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 00:51:17 +00:00
EVENTHANDLER_DEREGISTER(process_exit, filemon_exit_tag);
filemon: Trace fork via process_fork event. This avoids needing ugly hooks and needing both a vfork and fork handler. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division
2016-01-28 01:17:55 +00:00
EVENTHANDLER_DEREGISTER(process_fork, filemon_fork_tag);
Add the 'filemon' device. 'filemon' is a kernel module that provides a device interface for processes to record system calls of its children. Submitted by: Juniper Networks.
2012-06-04 22:54:19 +00:00
}
Reference in New Issue Copy Permalink