Martin Pitt [2019-09-29 21:43 +0200]:
> I made some initial experiments with this today [1], on kernel 5.3. (Note that
> this won't eventually look like this, there needs to be a fallback for older
> kernels.) But so far this isn't encouraging -- the results for "normal"
> open/close/read/write are much worse. In particular, I get a lot of ESTALE
> event fds now that previously resolved to existing files just fine, and also
> the pid → /proc/pid/comm resolution is now much less reliable.
Note for myself: I found out the root cause: It's in the file_handle → fd
resolution in
event_fd = open_by_handle_at(AT_FDCWD, (struct file_handle *) fid->handle,
O_RDONLY);
Due to the AT_FDCWD this only works for events that are on the same file
system as the cwd of fatrace (e. g. in --current-mount mode). There is some
impedance mismatch of the fanotify FAN_EVENT_INFO_TYPE_FID API, which only
delivers the rather useless "fsid", and open_by_handle_at() which expects
"some fd from the mount point that contains the file handle".
So in "global" (not --current-mount) mode, this could work like this: When
iterating over /proc/self/mounts when setting up fanotifys for every mount,
open the mount point as "mount_fd", statfs() it, and remember a map fsid →
mount_fd, and do lookups in print_event when it calls open_by_handle_at().
I'll look at this at some later time.
Martin
