On Tue 13-11-18 22:45:28, Matthew Bobrowski wrote: > On Mon, Nov 12, 2018 at 08:37:25AM -0800, Andy Lutomirski wrote: > > >> OK. You should probably add to your documentation that interpreters > > >> opened as a result of execve() and execveat() also set FAN_OPEN_EXEC. > > > > > > I'm not sure I understand your concern (and thus need for documentation). > > > In the following I assume you watch the whole system for fanotify events > > > (you can restrict them to specific files / mount points / superblocks > > > but that's besides the point of this discussion). > > > If you do: > > > > > > ~> /bin/echo > > > > > > Then you get FAN_OPEN_EXEC event for '/bin/echo' file and nothing more. > > > > If indeed that’s what the code does, then documenting it as such seems fine. > > But, by inspection, ELF interpreters are opened with open_exec(), so they > > should fire the event too. Am I wrong? > > No, you're not wrong. > > I do believe that there is no need to add a specific statement about > interpreters within the documentation. So I think what Andy means is that if I watch / for FAN_OPEN_EXEC, then people may not immediately realize that if they do /bin/echo, they'll actually get events for /bin/echo /lib64/ld-2.22.so At least I didn't immediately realize that (and just compiled test kernel with your patches to verify). So I think this clarification would be worth it as a note in the manpage. Changelog can IMO stay as is. Honza -- Jan Kara <jack@xxxxxxxx> SUSE Labs, CR
