> > Now tested FAN_MARK_FILESYSTEM watch on tmpfs mounted > > inside userns and works fine, with two wrinkles I needed to iron: > > > > 1. FAN_REPORT_FID not supported on tmpfs because tmpfs has > > zero f_fsid (easy to fix) > > 2. open_by_handle_at() is not userns aware (can relax for > > FS_USERNS_MOUNT fs) > > > > Pushed these two fixes to branch fanotify_userns. > > Pushed another fix to mnt refcount bug in WIP and another commit to > add the last piece that could make fanotify usable for systemd-homed > setup - a filesystem watch filtered by mnt_userns (not tested yet). > Now I used mount-idmapped (from xfstest) to test that last piece. Found a minor bug and pushed a fix. It is working as expected, that is filtering only the events generated via the idmapped mount. However, because the listener I tested is capable in the mapped userns and not in the sb userns, the listener cannot open_ny_handle_at(), so the result is not as useful as one might hope. I guess we will also need to make open_by_handle_at() idmapped aware and use a variant of vfs_dentry_acceptable() that validates that the opened path is legitimately accessible via the idmapped mount. I think I will leave this complexity to you should you think the userns filtered watch is something worth the effort. Thanks, Amir.
