Index: share/man/man4/filemon.4 =================================================================== --- share/man/man4/filemon.4 +++ share/man/man4/filemon.4 @@ -31,7 +31,7 @@ .\" .\" $FreeBSD$ .\" -.Dd June 15, 2019 +.Dd February 1, 2022 .Dt FILEMON 4 .Os .Sh NAME @@ -51,10 +51,10 @@ .Pp .Nm is not intended to be a security auditing tool. -Many system calls are not tracked and binaries of foreign ABI will not be fully -audited. -It is intended for auditing of processes for the purpose of determining its -dependencies in an efficient and easily parsable format. +Many system calls are not tracked and binaries using a non-native ABI may not +be fully audited. +It is intended for auditing of processes for the purpose of determining their +dependencies using an efficient and easily parsable format. An example of this is .Xr make 1 which uses this module with @@ -145,6 +145,11 @@ The .Nm handle is already associated with a file descriptor. +.It Bq Er EINVAL +The file descriptor has an invalid type and cannot be used for +tracing. +.It Bq Er EBADF +The file descriptor is invalid or not opened for writing. .El .Pp The Index: sys/dev/filemon/filemon.c =================================================================== --- sys/dev/filemon/filemon.c +++ sys/dev/filemon/filemon.c @@ -359,9 +359,10 @@ filemon_ioctl(struct cdev *dev, u_long cmd, caddr_t data, int flag __unused, struct thread *td) { - int error = 0; struct filemon *filemon; + struct file *fp; struct proc *p; + int error; if ((error = devfs_get_cdevpriv((void **) &filemon)) != 0) return (error); @@ -376,12 +377,21 @@ break; } - error = fget_write(td, *(int *)data, - &cap_pwrite_rights, - &filemon->fp); - if (error == 0) + error = fget_write(td, *(int *)data, &cap_pwrite_rights, &fp); + if (error == 0) { + /* + * The filemon handle may be passed to another process, + * so the underlying file handle must support this. + */ + if ((fp->f_ops->fo_flags & DFLAG_PASSABLE) == 0) { + fdrop(fp, curthread); + error = EINVAL; + break; + } + filemon->fp = fp; /* Write the file header. */ filemon_write_header(filemon); + } break; /* Set the monitored process ID. */