> I get that there are other use-cases that make subtree watches very > interesting but I don't think the container use-case is a particularly > pressing one. > That's what I thought. Containers are usually "contained" by a mount and possibly by userns, so it makes more sense and it would be more efficient to filter by those contexts. > > I don't like it so much myself, but I have not had any better idea how to > > achieve that goal so far. > > The limitations of FAN_MARK_MOUNT as I now understand them are indeed > unpleasant. If we could get FAN_MARK_MOUNT with the same event support > as FAN_MARK_INODE that would be great. > I think the delegation model that makes sense to me is to allow > FAN_MARK_MOUNT when the caller is ns_capable(mnt->mnt_userns) and of > course ns_capable() in the userns they called fanotify_init() in. That > feels ok and supportable. I present to you a demo [1][2] of FAN_MARK_MOUNT on idmapped mount that: 1. Can subscribe and receive FAN_LINK (new) events 2. Is capable of open_by_handle() if fid is under mount root FAN_LINK (temp name) is an event that I wanted to add anyway [3] and AFAIK it's the only event that you really need in order to detect when a dir was created for the use case of injecting a bind mount into a container. The kernel branch [1] intentionally excludes the controversial patch that added support for userns filtered sb marks. Therefore, trying to run the demo script as is on an idmapped mount inside userns will auto-detect UID 0, try to setup an sb mark and fail. Instead, the demo script should be run as follows to combine a mount mark and recursive inode marks: ./test_demo.sh <idmapped-mount-path> 1 For example: ~# ./test_demo.sh /vdf 1 + WD=/vdf + ID=1 ... + inotifywatch --fanotify --recursive -w -e link --timeout -2 /vdf Establishing watches... ... + mkdir -p a/dir0 a/dir1 a/dir2/subdir2 + touch a/dir2/file2 ... [fid=ad91a2b8.81a99d43.3000081;name='dir2'] /vdf/a/dir2 [fid=ad91a2b8.81a99d43.8a;name='.'] /vdf/a/dir2/. [fid=ad91a2b8.81a99d43.10000a6;name='.'] /vdf/a/dir2/subdir2/. [fid=ad91a2b8.81a99d43.8a;name='file2'] /vdf/a/dir2/file2 ... total modify .................................. create link delete filename 1 0 0 0 0 0 0 1 0 0 /vdf/a/dir2 1 0 0 0 0 0 0 0 1 0 /vdf/a/dir2/. 1 0 0 0 0 0 0 0 1 0 /vdf/a/dir2/subdir2/. 1 0 0 0 0 0 0 0 1 0 /vdf/a/dir2/file2 Thanks, Amir. [1] https://github.com/amir73il/linux/commits/fanotify_link [2] https://github.com/amir73il/inotify-tools/commits/fanotify_link [3] https://lore.kernel.org/linux-fsdevel/CAOQ4uxhEsbfA5+sW4XPnUKgCkXtwoDA-BR3iRO34Nx5c4y7Nug@xxxxxxxxxxxxxx/
