Jan Kara <jack@xxxxxxx>: > On Wed 15-03-17 10:19:52, Marko Rauhamaa wrote: >> As for "who (user/process/...) did what", the fanotify API is flawed >> in that we don't have a CLOSE_WRITE_PERM event. The hit-and-run >> process is long gone by the time we receive the event. That's more of >> a rule than an exception. > > Adding CLOSE_WRITE_PERM would not be that difficult I assume. What do you > need it for? Mainly to hold the process hostage until I have verified the content change. If I disqualify the content change, I will need to report on the process. CLOSE_WRITE only gives me a pid that is often stale as it doesn't block the process. (Another possibility would be to keep the process around as a zombie as long as the CLOSE_WRITE event's file descriptor is open. That sounds more complicated and questionable, though.) Marko -- +358 44 990 4795 Skype: marko.rauhamaa_f-secure
