On Tue, Nov 13, 2018 at 06:35:03PM +0100, Jan Kara wrote: > > > >> OK. You should probably add to your documentation that interpreters > > > >> opened as a result of execve() and execveat() also set FAN_OPEN_EXEC. > > > > > > > > I'm not sure I understand your concern (and thus need for documentation). > > > > In the following I assume you watch the whole system for fanotify events > > > > (you can restrict them to specific files / mount points / superblocks > > > > but that's besides the point of this discussion). > > > > If you do: > > > > > > > > ~> /bin/echo > > > > > > > > Then you get FAN_OPEN_EXEC event for '/bin/echo' file and nothing more. > > > > > > If indeed that’s what the code does, then documenting it as such seems fine. > > > But, by inspection, ELF interpreters are opened with open_exec(), so they > > > should fire the event too. Am I wrong? > > > > No, you're not wrong. > > > > I do believe that there is no need to add a specific statement about > > interpreters within the documentation. > > So I think what Andy means is that if I watch / for FAN_OPEN_EXEC, then > people may not immediately realize that if they do /bin/echo, they'll > actually get events for > > /bin/echo > /lib64/ld-2.22.so > > At least I didn't immediately realize that (and just compiled test kernel > with your patches to verify). So I think this clarification would be worth > it as a note in the manpage. Changelog can IMO stay as is. OK, sure, I will add it. -- Matthew Bobrowski
