Date: Sun, 27 Oct 2002 01:24:19 -0700 From: Juli Mallett <jmallett@FreeBSD.org> To: Maxim Sobolev <sobomax@FreeBSD.ORG> Cc: Nate Lawson <nate@root.org>, jlemon@FreeBSD.ORG, hackers@FreeBSD.ORG, audit@FreeBSD.ORG Subject: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC Message-ID: <20021027012419.A94775@FreeBSD.org> In-Reply-To: <20021027082309.GC36533@vega.vega.com>; from sobomax@FreeBSD.ORG on Sun, Oct 27, 2002 at 10:23:09AM %2B0200 References: <3DB79DFA.FA719B8F@FreeBSD.org> <Pine.BSF.4.21.0210261715520.78755-100000@root.org> <20021027075043.GA36533@vega.vega.com> <20021027010429.A90908@FreeBSD.org> <20021027082309.GC36533@vega.vega.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* De: Maxim Sobolev <sobomax@FreeBSD.ORG> [ Data: 2002-10-27 ]
[ Subjecte: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC ]
> On Sun, Oct 27, 2002 at 01:04:29AM -0700, Juli Mallett wrote:
> > * De: Maxim Sobolev <sobomax@FreeBSD.ORG> [ Data: 2002-10-27 ]
> > [ Subjecte: Re: New kevent types: NOTE_STARTEXEC and NOTE_STOPEXEC ]
> > > On Sat, Oct 26, 2002 at 06:09:31PM -0700, Nate Lawson wrote:
> > > > On Thu, 24 Oct 2002, Maxim Sobolev wrote:
> > > > > Please review the patch, which adds two new types of events -
> > > > > NOTE_STARTEXEC and NOTE_STOPEXEC, that could be used to get
> > > > > notification when the image starts or stops executing. For example, it
> > > > > could be used to monitor that a daemon is up and running and notify
> > > > > administrator when for some reason in exits. I am running this code
> > > > > for more than a year now without any problems.
> > > > >
> > > > > Any comments and suggestions are welcome.
> > > >
> > > > Couldn't this just be done by init(8) and /etc/ttys? Or inetd? If you
> > > > want to write your own, couldn't you use waitpid()? Or a kevent() of
> > > > EVFILT_PROC with NOTE_EXIT/NOTE_FORK? I'm not sure I see the need for
> > > > this.
> > >
> > > EVFILT_PROC operates on pids, while NOTE_{START,STOP}EXEC operate on
> > > vnodes - it is the main difference. Currently, you can't reliably
> > > get a notification when kernes started executing some arbitrary
> > > executable from your fs.
> >
> > This is not a job for the kernel, I don't think.
>
> Why not? Kernel now reports number of internal events via kqueue(2) interface,
> there is nothing wrong in adding yet another one. BTW, linux and irix already
> have similar functionality provided by /dev/imon.
If you implemented a kq interface, and an imon wrapper, I'd be much more
impressed. A less-divergant interface to do this would be nice, even if
kq is the backing. In fact, especially if kq is the backing, kq is strong,
kq will make us smart.
--
Juli Mallett <jmallett@FreeBSD.org> | FreeBSD: The Power To Serve
Will break world for fulltime employment. | finger jmallett@FreeBSD.org
http://people.FreeBSD.org/~jmallett/ | Support my FreeBSD hacking!
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20021027012419.A94775>