On Mon, Mar 14, 2022 at 7:32 PM Srinivas <talkwithsrinivas@xxxxxxxxxxx> wrote:
>
> Thanks Amir/Jan.
> Apart from the directory exclusion i called out, i think from a anti-virus agent side, what would be good to have is the ability to add a mark for FAN_MARK_MOUNT but then additionally ignore an entire subtree of directories under the mount point. Basically express interest in everything but then ignore (trust) some root only writeable directories etc.
> Can this be done today?
> My experiments again show that it is not. Thoughts?
>
You can do something similar with volatile exclude marks [1]
You can grab my branch for testing from [2]
What you do is create the exclude marks lazily -
you can an event, see that it is under the trusted subtree and you call:
fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_CREATE | FAN_MARK_VOLATILE,
FAN_EVENT_ON_CHILD,
AT_FDCWD, "/trusted/foo/");
fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_IGNORED_MASK |
FAN_MARK_IGNORED_SURV_MODIFY,
FAN_OPEN_PERM | FAN_CLOSE_WRITE,
AT_FDCWD, "/trusted/foo/");
Then you won't get further events until /trusted/foo is not accessed
for a while and memory pressure evicts its inode, then on next access
to /trusted/foo you will get an event, set the volatile ignored mask again.
Let me know if you think that is useful for AV agents
and if not, please let me know why not.
Thanks,
Amir.
[1] https://lore.kernel.org/linux-fsdevel/20220307155741.1352405-1-amir73il@xxxxxxxxx/
[2] https://github.com/amir73il/linux/commits/fsnotify-volatile
