2

I'm examining the source code of the current fatrace.

The main loop calling fanotify to obtain the value of data looks like:

    res = read (fan_fd, buffer, 4096);
    ...
    data = (struct fanotify_event_metadata *) buffer;
    while (FAN_EVENT_OK (data, res)) {
        ...
        data = FAN_EVENT_NEXT (data, res);
    }

When it gets to extracting the filename associated with an event, the code looks like this:

   snprintf (printbuf, sizeof (printbuf), "/proc/self/fd/%i", data->fd);
   len = readlink (printbuf, pathname, sizeof (pathname));

I am confused why the filename is extracted from /proc/self/fd/"data->fd" and not /proc/"data->pid"/fd/"data->fd"?

craig65535
  • 3,439
  • 1
  • 23
  • 49
Mouse.The.Lucky.Dog
  • 735
  • 8
  • 16
  • Is this a subjective question? Both are the same; in one case the OS substitutes the PID and in the other case the programmer does. – MSalters Apr 28 '14 at 07:19
  • 1
    Are they the same? My understanding is that /proc/self/fd/"fd" would refer to a file in the process calling snprintf. But data->pid refers to the process generating the fan_event, which may be the same, but generally isn't. – Mouse.The.Lucky.Dog Apr 28 '14 at 08:55
  • @MSalters both are not the same. `data->pid` is not the pid of the current process, but the pid of the process that had the file activity. – craig65535 May 14 '14 at 06:48

1 Answers1

2

It's because data->pid is a different process with a different set of file descriptors. The data->fd returned by fanotify is valid in the current process, not the one being monitored.

craig65535
  • 3,439
  • 1
  • 23
  • 49