How to detect file activities of exec'ed child process on Linux in C? -

How to detect file activities of exec'ed child process on Linux in C? -

i have program, exec's process (not mine, consider blackbox). there way observe operations, open() , close(), kid process?

especially i'm interested in finding newly created files, or existing files, opened intention created (o_creat flag open()).

the working approach redefine open() within own shared library , preload within exec()'ed process via ld_preload environment variable. @alk approach.

the code redefined open() looks like:

#include <fcntl.h> #include <dlfcn.h> #include <stdarg.h> #include <sys/types.h> extern "c" { int open(const char *pathname, int flags, ...) { bool has_mode = false; mode_t mode = 0; if (flags & o_creat) { va_list ap; va_start(ap, flags); mode = va_arg(ap, mode_t); has_mode = true; va_end(ap); } using fn = int (*)(const char * pathname, int flags, ...); fn new_open = reinterpret_cast<fn>(dlsym(rtld_next, "open")); // useful. if (has_mode) { homecoming new_open(pathname, flags, mode); } else { homecoming new_open(pathname, flags); } } } // extern "c"

the problem fcntl.h - may have geeky declaration function open(). need file definition of o_creat. way include file definition directly: in case it's file asm-generic/fcntl.h.

c linux file-io child-process