On Tue 15-03-22 05:44:34, Srinivas wrote:
>
> >> With the current upstream kernel this should work to exclude events in a directory:
>
> >> fanotify_mark(fd, FAN_MARK_ADD, FAN_EVENT_ON_CHILD |
> FAN_OPEN_PERM | FAN_CLOSE_WRITE,
> AT_FDCWD, "/tmp/fio/");
> >> fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_IGNORED_MASK |
> FAN_MARK_IGNORED_SURV_MODIFY,
> FAN_OPEN_PERM | FAN_CLOSE_WRITE,
> AT_FDCWD, "/tmp/fio/");
>
>
> This works perfectly fine on the newer kernels but does not on the older
> kernels. Is there any way we could get this working too on the old 3.x
> and 4.x kernels? (without the need for patching etc.)
No, I don't think there is a way. Combining ignore marks on directories
with mount / superblock marks was made possible only by fsnotify changes
that went into 5.9 kernel (commit 497b0c5a7c06 ("fsnotify: send event to
parent and child with single callback") in particular). Before that the
notification core did not have information from the parent directory
available when generating event for a mount mark and so ignore mask could
not be applied. So only ignore marks on individual files worked until that
moment.
Honza
> On Monday, 14 March, 2022, 02:58:30 pm IST, Amir Goldstein <amir73il@xxxxxxxxx> wrote:
> On Mon, Mar 14, 2022 at 10:47 AM Jan Kara <jack@xxxxxxx> wrote:
> >
> > On Sat 12-03-22 11:22:29, Srinivas wrote:
> > > If a process calls fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_MOUNT,
> > > FAN_OPEN_PERM, 0, "/mountpoint") no other directory exclusions can be
> > > applied.
> > >
> > > However a path (file) exclusion can still be applied using
> > >
> > > fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_IGNORED_MASK |
> > > FAN_MARK_IGNORED_SURV_MODIFY, FAN_OPEN_PERM | FAN_CLOSE_WRITE, AT_FDCWD,
> > > "/tmp/fio/abc"); ===> path exclusion that works.
> > >
> > > I think the directory exclusion not working is a bug as otherwise AV
> > > solutions cant exclude directories when using FAN_MARK_MOUNT.
> > >
> > > I believe the change should be simple since we are already supporting
> > > path exclusions. So we should be able to add the same for the directory
> > > inode.
> > >
> > > 215676 – fanotify Ignoring/Excluding a Directory not working with
> > > FAN_MARK_MOUNT (kernel.org)
> >
> > Thanks for report! So I believe this should be fixed by commit 4f0b903ded
> > ("fsnotify: fix merge with parent's ignored mask") which is currently
> > sitting in my tree and will go to Linus during the merge (opening in a
> > week).
>
> Actually, in a closer look, that fix alone is not enough.
>
> With the current upstream kernel this should work to exclude events
> in a directory:
>
> fanotify_mark(fd, FAN_MARK_ADD, FAN_EVENT_ON_CHILD |
> FAN_OPEN_PERM | FAN_CLOSE_WRITE,
> AT_FDCWD, "/tmp/fio/");
> fanotify_mark(fd, FAN_MARK_ADD | FAN_MARK_IGNORED_MASK |
> FAN_MARK_IGNORED_SURV_MODIFY,
> FAN_OPEN_PERM | FAN_CLOSE_WRITE,
> AT_FDCWD, "/tmp/fio/");
>
> The first call tells fanotify that the inode mark on "/tmp/foo" is
> interested in events on children (and not only on self).
> The second call sets the ignored mark for open/close events.
>
> The fix only removed the need to include the events in the
> first call.
>
> Should we also interpret FAN_EVENT_ON_CHILD correctly
> in a call to fanotify_mark() to set an ignored mask?
> Possibly. But that has not been done yet.
> I can look into that if there is interest.
> In retrospect, FAN_EVENT_ON_CHILD and FAN_ONDIR would have
> been more clear as FAN_MARK_ flags, but that's too late.
>
> Thanks,
> Amir.
>
--
Jan Kara <jack@xxxxxxxx>
SUSE Labs, CR
