On Mon, Nov 12, 2018 at 08:37:25AM -0800, Andy Lutomirski wrote: > >> OK. You should probably add to your documentation that interpreters > >> opened as a result of execve() and execveat() also set FAN_OPEN_EXEC. > > > > I'm not sure I understand your concern (and thus need for documentation). > > In the following I assume you watch the whole system for fanotify events > > (you can restrict them to specific files / mount points / superblocks > > but that's besides the point of this discussion). > > If you do: > > > > ~> /bin/echo > > > > Then you get FAN_OPEN_EXEC event for '/bin/echo' file and nothing more. > > If indeed that’s what the code does, then documenting it as such seems fine. > But, by inspection, ELF interpreters are opened with open_exec(), so they > should fire the event too. Am I wrong? No, you're not wrong. I do believe that there is no need to add a specific statement about interpreters within the documentation. -- Matthew Bobrowski
