Re: kqueue EVFILT_PROC and child process pid
Re: kqueue EVFILT_PROC and child process pid
- Subject: Re: kqueue EVFILT_PROC and child process pid
- From: Rustam Muginov <email@hidden>
- Date: Mon, 12 Oct 2009 21:48:16 +0400
Thank you for explanation, Damien.
How fast the kqueue events are delivered to the subscribed process?
Is it possible that the watched process would spawn child process,
kill it, and then spawn another one before the watching application
get notified?
Can the regular-user application watch other users/root processes, or
it must run on behalf of root?
On Oct 11, 2009, at 11:40 PM, Damien Sorresso wrote:
On Oct 11, 2009, at 9:18 AM, Rustam Muginov wrote:
Then using kqueue with EVFILT_PROC i can get the notification that
observed process forked/execed a child process.
Yes.
How could I know the pid of child process?
Unfortunately, you cannot get this information directly from
kqueue(3). You can do some sysctl(3) magic, but that's a very large
club for this problem.
Additionaly, how much overhead for the system adds observing all of
the running processes? Is it any other, more lightweight way to
watch for newer spawned processes then kqueue?
On Mac OS X, launchd attaches kevents to most PIDs on the system.
It's a very lightweight mechanism, and your process' contribution to
this overhead in the kernel would negligible compared to what's
already there anyway.
--
Damien Sorresso
BSD Engineering
Apple Inc.
--
Sincerely, Rustam Muginov
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Darwin-dev mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden