> This is not the case with nfsd IMO. > With nfsd, when "exporting" a path to clients, nfsd is really exporting > a specific mount (and keeping that mount busy too). > It can even export whole mount topologies. > > But then again, getting the mount context in every nfsd operation > is easy, there is an export context to client requests and the export > context has the exported path. > > Therefore, nfsd is my only user using the vfs helpers that is expected > to call the fsnotify path hooks (other than syscalls). > [...] > > I've done something similar to that. I think it's a bit cleaner, > but we can debate on the details later. > Pushed POC to branch fsnotify_path_hooks. > > At the moment, create, delete, move and move_self are supported > for syscalls and helpers are ready for nfsd. > > The method I used for rename hook is a bit different than > for other hooks, because other hooks are very easy to open code > while rename is complex so I create a helper for nfsd to call. > I pushed the nfsd example code as well (only compile tested): https://github.com/amir73il/linux/commits/fsnotify_path_hooks Now all that is left is dealing with notify_change() and with vfs_{set,remove}xattr(). Nice thing about vfs_{set,remove}xattr() is that they already have several levels of __vfs_ helpers and nfsd already calls those, so we can hoist fsnotify_xattr() hooks hooks up from the __vfs_xxx helpers to the common vfs_xxx helpers and add fsnotify hooks to the very few callers of __vfs_ helpers. nfsd is consistently calling __vfs_{set,remove}xattr_locked() which do generate events, but ecryptfs mixes __vfs_setxattr_locked() with __vfs_removexattr(), which does not generate event and does not check permissions - it looks like an oversight. The thing is, right now __vfs_setxattr_noperm() generates events, but looking at all the security/* callers, it feels to me like those are very internal operations and that "noperm" should also imply "nonotify". To prove my point, all those callers call __vfs_removexattr() which does NOT generate an event. Also, I *think* the EVM setxattr is something that usually follows another file data/metadata change, so some event would have been generated by the original change anyway. Mimi, Do you have an opinion on that? The question is if you think it is important for an inotify/fanotify watcher that subscribed to IN_ATTRIB/FAN_ATTRIB events on a file to get an event when the IMA security blob changes. Thanks, Amir.
