1

I'd like build a user-space tool that monitor any attempt to open non-existent file with specific path+name (it doesn't appear in filesystem).

Looking at the the available option, the one that is closest to my need is using kevent framework.

Here's a sample for for monitor file represented by path, which requires file descriptor. perhaps there's an option to monitor every access to path event if open fails since the file doesn't exist. 

 fd = open(path, O_EVTONLY);
 user_data = path;

/* Set up a list of events to monitor. */
vnode_events = NOTE_DELETE |  NOTE_WRITE | NOTE_EXTEND | NOTE_ATTRIB | NOTE_LINK | NOTE_RENAME | NOTE_REVOKE;
EV_SET( &events_to_monitor[0], fd, EVFILT_VNODE, EV_ADD | EV_CLEAR, vnode_events, 0, user_data);
int event_count = kevent(kq, events_to_monitor, NUM_EVENT_SLOTS, event_data, num_files, NULL);
Zohar81
  • 4,554
  • 5
  • 29
  • 82
  • I don't know if this helps you, but it can definitely be done with dtrace. This is obviously sufficient if you're trying to track something specific down, but will likely be a problem for integrating into some software, as large parts of dtrace fail with SIP enabled. Otherwise, I'd probably check the kernel's VFS source for path-based vnode lookups, and seeing if there's anything in there you can hook into in the failure case. – pmdj Nov 24 '16 at 13:13
  • dtrace sounds like a good idea, but the thing is that i'd like to run this check from C code. do you know if there dedicated API for that ? – Zohar81 Nov 24 '16 at 14:23
  • You can use dtrace from your own code, but as I mentioned, you'll almost certainly run into problems with SIP. (System Integrity Protection) Asking your users to disable SIP is generally not acceptable. I'd check if you can get the data with the dtrace CLI utility even if SIP is enabled first, and only go down the route of embedding dtrace if it works with SIP on. – pmdj Nov 24 '16 at 16:45

0 Answers0