On Mi, 08.04.20 20:58, Andy Pieters (systemd@xxxxxxxxxxxxxxxxx) wrote: > Hi list > > I'm trying to satisfy PCI requirements by having on-access virus > scanning on servers involved with card-holder data. > > Normally we could use clamav which has got on-access scanning, but > this has been removed > > Could we get systemd to help out by using its fanotify start a unit to > scan an object > > I'm just thinking out loud here but is it possible to have a wildcard > path unit? then drill down on the exact reason > > No I'm probably thinking about it the wrong way > > Any thoughts from the list please? So there has been a TODO list item about adding fanotify support to .path units, since fanotify can do some interesting things that inotify can't. Howevre, this is mostly the async stuff in fanotify. For the anti-virus stuff you'd need the sync stuff in fanotify, i.e. where fs access hangs until the fanotify-used program acknowledges it. I doubt this would fit into the .path unit concept, which is very asynchronous, very "coalescing" in behaviour. i.e. a mechanism where every individual request needs to be ack'ed doesn't fit into it. Behaviour like that probably would probably fit better into the .socket concept, which actually is about more than just pure sockets, it already can listen on FIFOs, msgqs, USB functions and and "special files". Maybe a ListenFileAccessNotify= could be added that does what you need. This would then mean that PID 1 would establish the fanotify watch, and wait for POLLIN on it, and as soon as that happens fork off some service and pass the fanotify fd to it. The service would have to read the event off it and acknowledge it. It could then exit after a while. Would that work for you? If so, prep a PR and submit it, would be happy to review it. Lennart -- Lennart Poettering, Berlin _______________________________________________ systemd-devel mailing list systemd-devel@xxxxxxxxxxxxxxxxxxxxx https://lists.freedesktop.org/mailman/listinfo/systemd-devel
Re: systemd && fanotify / path activation
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- Subject: Re: systemd && fanotify / path activation
- From: Lennart Poettering <lennart@xxxxxxxxxxxxxx>
- Date: Thu, 9 Apr 2020 09:16:02 +0200
- Cc: systemd Mailing List <systemd-devel@xxxxxxxxxxxxxxxxxxxxx>
- In-reply-to: <CAB2L6a8aJLMe3s5OgNCdem190NfMEZ-tcCRNYqD9BPG-TLSx8g@mail.gmail.com>
- References: <CAB2L6a8aJLMe3s5OgNCdem190NfMEZ-tcCRNYqD9BPG-TLSx8g@mail.gmail.com>
- References:
- systemd && fanotify / path activation
- From: Andy Pieters
- systemd && fanotify / path activation
- Prev by Date: Re: All non-seat0 input devices leak into VT if no display server on seat0
- Next by Date: Re: The meaning of CanMultiSession=no on non-seat0
- Previous by thread: systemd && fanotify / path activation
- Next by thread: systemd-networkd IP assignments for wla/usb devs are ignored; using same IP as local eth lan ?
- Index(es):
 |