Re: [PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify

On Tue, 2009-06-16 at 13:09 -0300, Klaus Heinrich Kiwi wrote: So fsnotify and inotify are the same in these regards. Basically a watch is really on a "directory inode + a name" it's easiest to explain what goes on in examples. -F path=/tmp/dir1/file1 so the inotify/fsnotify watch is attached to the /tmp/dir1 inode. We also maintain that what we care about is "file1" If you mv /tmp/dir1 to /tmp/dir2 the rule is deleted from the system (and an audit config change record is written in the logs) If instead you create /tmp/dir1/file1 we get a notification, update the lists with the new inode number for /tmp/dir1/file1 and at syscall exit will output a record if the /tmp/dir1/file1 was accessed. If you delete /tmp/dir1/file1 or move it to /tmp/dir1/file2 we will update the lists with the fact that there is no inode for /tmp/dir1/file1 and so when a syscall exits it will not obviously not find that it needs to output a record. So we handle add/remove/mv of the actual file of a watch as would be expected. If the file this syscall accessed was called [blah] at syscall exit we will emit a watch. If the file wasn't called [blah] we won't. The only thing interested is removing or moving the parent directory, which actually removes the whole rule never to return. -Eric