Stack Overflow
Stack Overflow

Questions tagged [fanotify]

fanotify is intended to provide an interface for on access file scanning and permissions gating based on the results of those scans. fanotify does not prevent, nor does it attempt to prevent, malicious code running on the Linux machine.

fanotify provides two things:

  1. A new notification system, similar to inotify, only instead of an arbitrary 'watch descriptor' which userspace has to know how to map back to an object on the filesystem, fanotify provides an open read-only fd back to the original object. It should be noted that the set of fanotify events is much smaller than the set of inotify events.

  2. An access system in which processes may be blocked until the fanotify userspace listener has decided if the operation should be allowed.

36 questions
21
votes
3 answers

How do I program for Linux's new `fanotify` file system monitoring feature?

fanotify, built on top of fsnotify, is supposed to replace inotify which replaced dnotify. Are there some good programming examples or existing utilities that use fanotify to watch for changes in a filesystem? How much detail does fanotify provide?
joeforker
  • 40,459
  • 37
  • 151
  • 246
7
votes
2 answers

Get path from file descriptor when path is longer than PATH_MAX

I receive filesystem events from fanotify. Sometimes I want to get an absolute path to a file that's being accessed. Usually, it's not a problem - fanotify_event_metadata contains a file descriptor fd, so I can call readlink on /proc/self/fd/
Nikita Kakuev
  • 1,096
  • 9
  • 13
5
votes
3 answers

Linux - fanotify, but for exec()?

Is there a facility like fanotify, but for exec() operations? Something like kauth in MacOS, but in userland. fanotify only seems to notify on (and allow/deny) file open/close/read/write. I've seen code that can notify on fork and exec by other…
craig65535
  • 3,439
  • 1
  • 23
  • 49
4
votes
1 answer

How to tell which path a fanotify event refers to

I'd like to find out which files are opened on my system in which order, in order to prefetch them from disk. It seems that fanotify should be well suited to monitor the whole system for open events. But as far as I can tell, the…
MvG
  • 57,380
  • 22
  • 148
  • 276
3
votes
1 answer

fanotify - problem with new flags introduced in Kernel 5.1

Since Kernel 5.1, new flags FAN_ATTRIB, FAN_CREATE, FAN_DELETE, FAN_DELETE_SELF, FAN_MOVED_FROM, FAN_MOVED_TO and FAN_MOVE_SELF are introduced. Unfortunately, when I use them in function fanotify_mark() I get this error: fanotify_mark: Invalid…
7eRoM
  • 443
  • 4
  • 14
3
votes
1 answer

How to find out whether CONFIG_FANOTIFY_ACCESS_PERMISSIONS is enabled?

I want to make use of fanotify(7) and the problem I run into is that on some kernels CONFIG_FANOTIFY_ACCESS_PERMISSIONS does not work, although CONFIG_FANOTIFY is configured. At the very least I'd like to report this condition. Now on Debian and…
0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
3
votes
2 answers

fanotify recursivity does really works?

I'm using code like following to monitor the whole file system: fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT, FAN_OPEN | FAN_EVENT_ON_CHILD, AT_FDCWD, "/" ) But I need write some tests, so, I want monitor just a…
Raydel Miranda
  • 13,825
  • 3
  • 38
  • 60
2
votes
0 answers

When use fanotify, files from deleted directory have incorrect path

When I use fanotify for listening to file changes, when I delete a folder in the root directory, the files under this folder appear with (deleted) characters, for example: /data/service/el2/100/hmdfs/account/files/Download/test (deleted)/test DELETE…
xzq
  • 21
  • 1
2
votes
1 answer

fanotify: is it possible to monitor whole filesystem and write few logs/config in monitored filesystem by same process?

My system gets hanged, if I try to log something in file by same process. Actually I wanted to monitor entire filesystem ("/") with fanotify and also want to log errors in case any in "/tmp", but it results in system hang. Please find below code: …
Swapnil hajare
  • 33
  • 5
2
votes
2 answers

Watching a directory tree without inotify

I'm trying to write a backup utility that is supposed to handle a rough 2 terabytes of data in a lot of folders. I want it to perform actions on files when they get created/edited/deleted preferably also file moves or renames. I've messed around…
blipman17
  • 523
  • 3
  • 23
2
votes
1 answer

fanotify obtaining file name, why /proc/self/fd/"data->fd"?

I'm examining the source code of the current fatrace. The main loop calling fanotify to obtain the value of data looks like: res = read (fan_fd, buffer, 4096); ... data = (struct fanotify_event_metadata *) buffer; while (FAN_EVENT_OK…
Mouse.The.Lucky.Dog
  • 735
  • 8
  • 16
2
votes
2 answers

How to detect a file has been deleted

I am writing a program to monitor the file system. But I'm not able to detect when a file is deleted. I tried monitoring with FAN_MARK_ONLYDIR flag hoping fanotify rise some event when deleting a file in a monitored dir, no results. It is even…
Raydel Miranda
  • 13,825
  • 3
  • 38
  • 60
1
vote
1 answer

Is there cheap way of retrieving EUID from PI

I've recently tried to write a program that monitors activity on filesystem. I'd like it to record action, PID, executable name and EUID. I've used fanotify for this purpose and it can retrieve everything except EUID. So far I've been able to fetch…
happylinuxuser
  • 11
  • 1
1
vote
0 answers

ndk how to use fanotify to watch /proc/pid/maps?

#include "linux/fanotify.h" // can work #include "sys/fanotify.h" // error The fanotify is a linux kernel. When I want to init fanotify to watch a file: use of undeclared identifier 'fanotify_init' It's there a way to use the fanotify lib? What…
cs x
  • 11
  • 2
1
vote
1 answer

Why the fanotify_fid Linux manpage example code fails (on open_by_handle_at())?

I'm testing fanotify, on Linux 5.4 (also tested on 5.8); for the tests, I'm using the fanotify_fid.c example in the fanotify(7) manpage. Now, the code seems to be very poor - I think there are at least a couple of bugs - but I managed to make it…
Marcus
  • 5,104
  • 2
  • 28
  • 24
1
2 3