[PATCH v4 2/4] fanotify: notify on mount attach and detach
Miklos Szeredi
miklos at szeredi.hu
Tue Jan 28 12:42:43 UTC 2025
On Sat, 25 Jan 2025 at 02:17, Russell Coker <russell at coker.com.au> wrote:
> What's the benefit in watching mount being separate from watching a namespace
> mount?
1)
fanotify_mark(fan_fd, FAN_MARK_ADD | FAN_MARK_MOUNT, FAN_OPEN,
AT_FDCWD, "/proc/self/ns/mnt");
This notifies on mount and unmount events in the current mount namespace.
2)
fanotify_mark(fan, FAN_MARK_ADD | FAN_MARK_MOUNT, FAN_OPEN, AT_FDCWD,
"/proc/self/ns/mnt");
This notifies on open events within the nsfs mount (proc uses a kernel
private nsfs mount, so all accesses through proc will trigger this).
The latter doesn't really make sense (these files are not openable),
but it's doable with current kernels and events on the failed opens do
get generated.
So overloading FILE__WATCH_MOUNT might work, but it is also very
confusing, since watching a mount namespace and watching a mount mean
completely different things.
Thanks,
Miklos
More information about the Linux-security-module-archive
mailing list