On Sat, 25 Jan 2025 at 02:17, Russell Coker <russell@xxxxxxxxxxxx> wrote: > What's the benefit in watching mount being separate from watching a namespace > mount? 1) fanotify_mark(fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT, FAN_OPEN, AT_FDCWD, "/proc/self/ns/mnt"); This notifies on mount and unmount events in the current mount namespace. 2) fanotify_mark(fan, FAN_MARK_ADD | FAN_MARK_MOUNT, FAN_OPEN, AT_FDCWD, "/proc/self/ns/mnt"); This notifies on open events within the nsfs mount (proc uses a kernel private nsfs mount, so all accesses through proc will trigger this). The latter doesn't really make sense (these files are not openable), but it's doable with current kernels and events on the failed opens do get generated. So overloading FILE__WATCH_MOUNT might work, but it is also very confusing, since watching a mount namespace and watching a mount mean completely different things. Thanks, Miklos
