Jan Kara <jack@xxxxxxx>: > So fanotify is a filesystem event notification API. For filesystem, > open and read are fundamentally different events and as such we have > different FAN_OPEN and FAN_ACCESS events in the API. The only > disputable events we have in the API are FAN_CLOSE_WRITE vs > FAN_CLOSE_NOWRITE - from fs POV there's no big difference. But at > least this is 100% reliably (unlike FMODE_EXEC) telling you whether > the user was able to modify the file or not and it caters to one of > the use cases this API has been created for - virus scanners, file > caching daemons, ... - i.e., triggering specific actions based on file > contents. As a side note from the virus scanner point of view, FAN_CLOSE_WRITE_PERM would be really useful because it would prevent the hit-and-run corruption of a file. As it stands, fanotify communicates the pid of the culprit but the process is long gone by the time you get to analyze it... Marko
