site_archiver@lists.apple.com Delivered-To: Darwin-dev@lists.apple.com Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:cc:message-id:from:to :in-reply-to:content-type:content-transfer-encoding:mime-version :subject:date:references:x-mailer; bh=K/COihIozEwhpL52WrGnD3peO5Z8duPB3McXPjE9KGc=; b=oiG9tr5nhkFGxtk7ZKPPITh9SiGX72VybYF6M0zbRCp6CNoOlm7kEecpQfNLUhB4IG A+vG8NGF3IBkS0FoSUP8hUivCFwHhiOy94BL6xG3vizBBUNLD282ztXGEnoCc9mJI2U8 PpC6T8AEIOpBXK3zTCjM7YwpmNiuEu/KuIUSY= Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=cc:message-id:from:to:in-reply-to:content-type :content-transfer-encoding:mime-version:subject:date:references :x-mailer; b=YLlrVjyPRB5x8GRH1finlcnSZoI6UeeAVYl2qOD1jIlY9WQI+GoJkIMx039gBD4/EP /6NFckvfJTkQtpBhY6s8DJKX4aA0Kg2UXCb6Gjf3rw8bu9BzVo/Cj/FtdVc7W4C2TVx1 fEoUl79VbPClvuSTjmM5qdu1h0CdK/J7reBwA= On Oct 11, 2009, at 11:40 PM, Damien Sorresso wrote: Yes. -- Sincerely, Rustam Muginov _______________________________________________ Do not post admin requests to the list. They will be ignored. Darwin-dev mailing list (Darwin-dev@lists.apple.com) Help/Unsubscribe/Update your Subscription: http://lists.apple.com/mailman/options/darwin-dev/site_archiver%40lists.appl... Thank you for explanation, Damien. How fast the kqueue events are delivered to the subscribed process? Is it possible that the watched process would spawn child process, kill it, and then spawn another one before the watching application get notified? Can the regular-user application watch other users/root processes, or it must run on behalf of root? On Oct 11, 2009, at 9:18 AM, Rustam Muginov wrote: Then using kqueue with EVFILT_PROC i can get the notification that observed process forked/execed a child process. How could I know the pid of child process? Unfortunately, you cannot get this information directly from kqueue(3). You can do some sysctl(3) magic, but that's a very large club for this problem. Additionaly, how much overhead for the system adds observing all of the running processes? Is it any other, more lightweight way to watch for newer spawned processes then kqueue? On Mac OS X, launchd attaches kevents to most PIDs on the system. It's a very lightweight mechanism, and your process' contribution to this overhead in the kernel would negligible compared to what's already there anyway. -- Damien Sorresso BSD Engineering Apple Inc. This email sent to site_archiver@lists.apple.com