On Fri, Jun 7, 2019 at 5:31 PM Marko Rauhamaa
<marko.rauhamaa@xxxxxxxxxxxx> wrote:
>
>
> As it stands, fanotify reports the process ID of the file that is being
> operated on:
>
> struct fanotify_event_metadata {
> __u32 event_len;
> __u8 vers;
> __u8 reserved;
> __u16 metadata_len;
> __aligned_u64 mask;
> __s32 fd;
> __s32 pid;
> };
>
> One nasty problem with this is that the process often is long gone by
> the time the notification arrives.
>
> Would it be possible to amend this format with:
>
> __s32 pidfd;
>
It's possible to report pidfd instead of pid with user opt-in
(i.e. FAN_REPORT_PIDFD)
If you want to implement this, follow the footsteps of code, test and
man page for FAN_REPORT_TID.
> It would hold the pid still for the duration of notification processing
> and allow for the fanotify monitor to safely use the pid field to
> inspect /proc/<pid>.
>
It will hold pid until someone closes pidfd.
That also needs to be documented.
> And the possibility of sending signals to the monitored process might
> come in handy as well.
>
> Thinking about this a bit more, could the fd field take on the dual role
> of allowing you to read the file in question as well as acting as a
> pidfd?
>
Please no.
Thanks,
Amir.
