On Thu, May 23, 2019 at 5:40 PM Jan Kara <jack@xxxxxxx> wrote: > > On Thu 23-05-19 15:35:18, Christian Brauner wrote: > > So let's say the user tells me: > > - When the "/A/B/C/target" file appears on the host filesystem, > > please give me access to "target" in the container at a path I tell > > you. > > What I do right now is listen for the creation of the "target" file. > > But at the time the user gives me instructions to listen for > > "/A/B/C/target" only /A might exist and so I currently add a watch on A/ > > and then wait for the creation of B/, then wait for the creation of C/ > > and finally for the creation of "target" (Of course, I also need to > > handle B/ and C/ being removed again an recreated and so on.). It would > > be helpful, if I could specify, give me notifications, recursively for > > e.g. A/ without me having to place extra watches on B/ and C/ when they > > appear. Maybe that's out of scope... > > I see. But this is going to be painful whatever you do. Consider for > example situation like: > > mkdir -p BAR/B/C/ > touch BAR/B/C/target > mv BAR A > > Or even situation where several renames race so that the end result creates > the name (or does not create it depending on how renames race). And by the > time you decide A/B/C/target exists, it doesn't need to exist anymore. > Honestly I don't see how you want to implement *any* solution in a sane > way. About the most reliable+simple would seem to be stat "A/B/C/target" > once per second as dumb as it is. > Just wanted to point out that while looking at possible solutions for "path based rules" for fanotify (i.e. subtree filter) I realized that the audit subsystem already has a quite sophisticated mechanism to maintain and enforce path based filesystem rules. I do not love that code at all, I can hardly follow it, but if someone would have wanted a way to be notified when an object of a given path name appears or disappears from the namespace, it seems like something in the kernel is already going to a great deal of effort to do that already. Or maybe I am misunderstanding what this code does. Thanks, Amir.
