opensnoop
from DTrace
can show which files are opened by a program/pid. It does not trace opens by forked/vforked children though. Related dtruss
has this follow functionality.
Is there a way to tell opensnoop
to also follow children?
-p
option actually adds PID == pid
check into generated script where pid
is built in variable
, representing current process id and PID
is a -p
option value.
There is an action in DTrace called progenyof
which checks that current process is a child (not necessary direct) of a process, so simply replace that check in opensnoop:
--- /usr/dtrace/DTT/opensnoop Wed Jun 25 01:34:47 2014
+++ opensnoop Fri Jan 13 17:43:41 2017
@@ -199,7 +199,7 @@
/* check each filter */
(OPT_name == 1 && NAME == execname) ? self->ok = 1 : 1;
- (OPT_pid == 1 && PID == pid) ? self->ok = 1 : 1;
+ (OPT_pid == 1 && progenyof(PID)) ? self->ok = 1 : 1;
/* OPT_file is checked on return to ensure pathp is mapped */
}