On Nov 23, 2024, at 9:07 PM, Amir Goldstein [off-list ref] wrote:

On Sat, Nov 23, 2024 at 12:00 AM Song Liu [off-list ref] wrote:

[...]

quoted

+}
+
+static void sample_filter_free(struct fanotify_filter_hook *filter_hook)
+{
+       struct fan_filter_sample_data *data = filter_hook->data;
+
+       path_put(&data->subtree_path);
+       kfree(data);
+}
+

Hi Song,

This example looks fine but it raises a question.
This filter will keep the mount of subtree_path busy until the group is closed
or the filter is detached.
This is probably fine for many services that keep the mount busy anyway.

But what if this wasn't the intention?
What if an Anti-malware engine that watches all mounts wanted to use that
for configuring some ignore/block subtree filters?

One way would be to use a is_subtree() variant that looks for a
subtree root inode
number and then verifies it with a subtree root fid.
A production subtree filter will need to use a variant of is_subtree()
anyway that
looks for a set of subtree root inodes, because doing a loop of is_subtree() for
multiple paths is a no go.

Maybe some cache mechanism will be sufficient (and maybe also the
best we can do) in this case? 

Thanks,
Song

Don't need to change anything in the example, unless other people
think that we do need to set a better example to begin with...