How do I use /dev/trace?

[Martyn Johnson]

My understanding (possibly incorrect) is:

>1) What ioctl's do I call, in what order, to indicate that I'm interested
>   in chmod() sys calls?

IOTR_SET... the things you are interested in, and then just read.

>2) Do I pass a "trace" structure (as defined in systrace.h) as the third arg
>   to ioctl()?  If not, what do I pass?  If so, that structure has positions
>   for 16 pids, 16 uids, 16 syscalls, and 16 pgrps, but no places to store
>   counts of the number of slots in use for each type of slot.  How does the
>   driver know which slots contain data I'm interested in?  Is it based on
>   the value in the slot?  If so, what value should I use to fill in the slots
>   I'm not using?

No, "struct trace" is a kernel structure. (My copy of systrace.h has
a comment to that effect).  You pass over an integer for things like
SETON, and an array of integers for things like SETPIDS.  Unused entries
should be zero, I think.

>3) What are the "IOTR_GET..." ioctl() calls used for?  What about
>  "IOTR_SET..."?  What is the meaning of "GET" vs. "SET" in this context?

The "GET" calls just return the system's idea of what you "SET".

>4) Once I've done the required ioctl()s to select the items I want to trace,
>   I assume I read from the file descriptor.  Where can I find documentation
>   on the format of the data that read() will return in the buffer?

You get back human readable text, as printed out by the "trace" command.
Format should be obvious; unfortunately the output is often of limited
use because it prints out addresses without telling you what they point to.

By the way, you can of course trace the trace command to see what it
does by way of ioctls.  For example:

 trace trace -f /dev/null cat /etc/motd
 
will trace the trace command setting up tracing of the cat.

Martyn Johnson
University of Cambridge Computer Lab
Cambridge UK.