On Thu, Jan 16, 2025 at 8:42 AM Amir Goldstein <amir73il@xxxxxxxxx> wrote: > > On Thu, Jan 16, 2025 at 12:46 PM Jan Kara <jack@xxxxxxx> wrote: > > > > Hi! > > > > On Tue 14-01-25 11:41:06, Song Liu via Lsf-pc wrote: > > > At LSF/MM/BPF 2025, I would like to continue the discussion on enabling > > > in-kernel fanotify filter, with kernel modules or BPF programs.There are a > > > few rounds of RFC/PATCH for this work:[1][2][3]. > > > > > > =============== Motivation ================= > > > > > > Currently, fanotify sends all events to user space, which is expensive. If the > > > in-kernel filter can handle some events, it will be a clear win. > > > > > > Tracing and LSM BPF programs are always global. For systems that use > > > different rules on different files/directories, the complexity and overhead > > > of these tracing/LSM programs may grow linearly with the number of > > > rules. fanotify, on the other hand, only enters the actual handlers for > > > matching fanotify marks. Therefore, fanotify-bpf has the potential to be a > > > more scalable alternative to tracing/LSM BPF programs. > > > > > > Monitoring of a sub-tree in the VFS has been a challenge for both fanotify > > > [4] and BPF LSM [5]. One of the key motivations of this work is to provide a > > > more efficient solution for sub-tree monitoring. > > > > > > > > > =============== Challenge ================= > > > > > > The latest proposal for sub-tree monitoring is to have a per filesystem > > > fanotify mark and use the filter function (in a kernel module or a BPF > > > program) to filter events for the target sub-tree. This approach is not > > > scalable for multiple rules within the same file system, and thus has > > > little benefit over existing tracing/LSM BPF programs. A better approach > > > would be use per directory fanotify marks. However, it is not yet clear > > > how to manage these marks. A naive approach for this is to employ > > > some directory walking mechanism to populate the marks to all sub > > > directories in the sub-tree at the beginning; and then on mkdir, the > > > child directory needs to inherit marks from the parent directory. I hope > > > we can discuss the best solution for this in LSF/MM/BPF. > > > > Obviously, I'm interested in this :). We'll see how many people are > > interested in this topic but I'll be happy to discuss this also in some > > break / over beer in a small circle. > > Yeh, count me in :) I am also interested in this topic, especially how we can better handle fanotify for network fs (or perhaps cluster fs as well) that already support notify at the protocol level. I had added fs specific ioctls for allowing apps to be notified about remote changes (SMB3.1.1 change notify e.g.) but was interested in how to make it easier to wait on changes (e.g. to make it possible for fanotify/inotify to work for network fs) -- Thanks, Steve
