[PATCH 13/17] watch_queue: Implement mount topology and attribute change notifications [ver #5]
Ian Kent
raven at themaw.net
Sun Jun 14 03:07:42 UTC 2020
On Thu, 2020-04-02 at 17:19 +0200, Miklos Szeredi wrote:
>
> > Firstly, a watch queue needs to be created:
> >
> > pipe2(fds, O_NOTIFICATION_PIPE);
> > ioctl(fds[1], IOC_WATCH_QUEUE_SET_SIZE, 256);
> >
> > then a notification can be set up to report notifications via that
> > queue:
> >
> > struct watch_notification_filter filter = {
> > .nr_filters = 1,
> > .filters = {
> > [0] = {
> > .type = WATCH_TYPE_MOUNT_NOTIFY,
> > .subtype_filter[0] = UINT_MAX,
> > },
> > },
> > };
> > ioctl(fds[1], IOC_WATCH_QUEUE_SET_FILTER, &filter);
> > watch_mount(AT_FDCWD, "/", 0, fds[1], 0x02);
> >
> > In this case, it would let me monitor the mount topology subtree
> > rooted at
> > "/" for events. Mount notifications propagate up the tree towards
> > the
> > root, so a watch will catch all of the events happening in the
> > subtree
> > rooted at the watch.
>
> Does it make sense to watch a single mount? A set of mounts? A
> subtree with an exclusion list (subtrees, types, ???)?
Yes, filtering, perhaps, I'm not sure a single mount is useful
as changes generally need to be monitored for a set of mounts.
Monitoring a subtree is obviously possible because the monitor
path doesn't need to be "/".
Or am I misunderstanding what your trying to get at.
The notion of filtering types and other things is interesting
but what I've seen that doesn't fit in the current implementation
so far probably isn't appropriate for kernel implementation.
There's a special case of acquiring a list of mounts where the
path is not a mount point itself but you need all mount below
that path prefix.
In this case you get all mounts, including the mounts of the mount
containing the path, so you still need to traverse the list to match
the prefix and that can easily mean the whole list of mounts in the
system.
Point is it leads to multiple traversals of a larger than needed list
of mounts, one to get the list of mounts to check, and one to filter
on the prefix.
I've seen this use case with fsinfo() and that's where it's needed
although it may be useful to carry it through to notifications as
well.
While this sounds like it isn't such a big deal it can sometimes
make a considerable difference to the number of mounts you need
to traverse when there are a large number of mounts in the system.
I didn't consider it appropriate for kernel implementation but
since you asked here it is. OTOH were checking for connectedness
in fsinfo() anyway so maybe this is something that could be done
without undue overhead.
But that's all I've seen so far.
Ian
More information about the Linux-security-module-archive
mailing list