From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wm0-f68.google.com ([74.125.82.68]:36414 "EHLO mail-wm0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750944AbcJOPXL (ORCPT ); Sat, 15 Oct 2016 11:23:11 -0400 Received: by mail-wm0-f68.google.com with SMTP id 79so2842889wmy.3 for ; Sat, 15 Oct 2016 08:23:11 -0700 (PDT) MIME-Version: 1.0 In-Reply-To: <87d1j3mj1k.fsf@drapion.f-secure.com> References: <87inswm9sg.fsf@drapion.f-secure.com> <87d1j3mj1k.fsf@drapion.f-secure.com> From: Amir Goldstein Date: Sat, 15 Oct 2016 18:23:09 +0300 Message-ID: Subject: Re: [RFC][PATCH 0/7] fanotify: add support for more events To: Marko Rauhamaa Cc: linux-fsdevel Content-Type: text/plain; charset=UTF-8 Sender: linux-fsdevel-owner@vger.kernel.org List-ID: On Fri, Oct 14, 2016 at 11:28 AM, Marko Rauhamaa wrote: > Amir Goldstein : > >> On Thu, Oct 13, 2016 at 8:35 PM, Marko Rauhamaa >>> My employer certainly is in need of monitoring a whole filesystem. We >>> have noticed that namespaces evade monitoring via FAN_MARK_MOUNT. I >>> was thinking something like a FAN_MARK_FILESYSTEM would be needed. >> >> [...] >> >> I keep hearing about people that wanted that feature, but those people will >> need to come forward and voice their use cases. > > Well, F-Secure's Linux Security product monitors files to detect > malware. Files are analyzed for viruses and unexpected modifications to > system files are flagged. > This I could have guessed :-) Let me rephrse my question - please argue why monitoring a file system instead of a mount point is important for your use case and more impotantly, please argue why you cannot achive the same result by monitoring all the relevant mount points from user space. For example, the argument I used against the legacy recursive intotify watch of all directories in the treee is the poor ability to scale well over millions of directories. > > Other fanotify deficiencies include: > > * the offending process can die without leaving a trace because > FAN_CLOSE_WRITE events do not block (instead of blocking, it would be > enough for the /proc/$PID directory to stay available while the > related fanotify fd is open) > > * the (e)uid and (e)gid of the offending process are not conveyed in > the fanotify event > > * the FAN_OPEN_PERM event does not carry the mode so write access > cannot be denied > > * there is no (PERM or non-PERM) event generated by the first > modification (FAN_MODIFY generates a flurry of events; > FAN_CLOSE_WRITE does not get generated unless the file is closed) > > I am not sure I will be able help you wrt those extra requirements. Amir.