1 .\" Copyright (C) 2013, Heinrich Schuchardt <xypron.glpk@gmx.de>
3 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
4 .TH FANOTIFY_MARK 2 2021-08-27 "Linux man-pages (unreleased)"
6 fanotify_mark \- add, remove, or modify an fanotify mark on a filesystem
10 .RI ( libc ", " \-lc )
13 .B #include <sys/fanotify.h>
15 .BI "int fanotify_mark(int " fanotify_fd ", unsigned int " flags ,
16 .BI " uint64_t " mask ", int " dirfd \
17 ", const char *" pathname );
20 For an overview of the fanotify API, see
24 adds, removes, or modifies an fanotify mark on a filesystem object.
25 The caller must have read permission on the filesystem object that
30 argument is a file descriptor returned by
31 .BR fanotify_init (2).
34 is a bit mask describing the modification to perform.
35 It must include exactly one of the following values:
40 will be added to the mark mask (or to the ignore mask).
42 must be nonempty or the error
47 The events in argument
49 will be removed from the mark mask (or from the ignore mask).
51 must be nonempty or the error
56 Remove either all marks for filesystems, all marks for mounts, or all
57 marks for directories and files from the fanotify group.
62 all marks for mounts are removed from the group.
66 .BR FAN_MARK_FILESYSTEM ,
67 all marks for filesystems are removed from the group.
68 Otherwise, all marks for directories and files are removed.
69 No flag other than, and at most one of, the flags
72 .B FAN_MARK_FILESYSTEM
73 can be used in conjunction with
78 If none of the values above is specified, or more than one is specified,
79 the call fails with the error
83 zero or more of the following values may be ORed into
86 .B FAN_MARK_DONT_FOLLOW
89 is a symbolic link, mark the link itself, rather than the file to which it
95 if it is a symbolic link.)
98 If the filesystem object to be marked is not a directory, the error
103 Mark the mount specified by
107 is not itself a mount point, the mount containing
110 All directories, subdirectories, and the contained files of the mount
112 The events which require that filesystem objects are identified by file handles,
118 .BR FAN_DELETE_SELF ,
119 cannot be provided as a
125 Attempting to do so will result in the error
128 Use of this flag requires the
132 .BR FAN_MARK_FILESYSTEM " (since Linux 4.20)"
133 .\" commit d54f4fba889b205e9cd8239182ca5d27d0ac3bc2
134 Mark the filesystem specified by
136 The filesystem containing
139 All the contained files and directories of the filesystem from any mount
140 point will be monitored.
141 Use of this flag requires the
145 .B FAN_MARK_IGNORED_MASK
148 shall be added to or removed from the ignore mask.
150 .B FAN_MARK_IGNORED_SURV_MODIFY
151 The ignore mask shall survive modify events.
152 If this flag is not set,
153 the ignore mask is cleared when a modify event occurs
154 for the ignored file or directory.
157 defines which events shall be listened for (or which shall be ignored).
158 It is a bit mask composed of the following values:
161 Create an event when a file or directory (but see BUGS) is accessed (read).
164 Create an event when a file is modified (write).
167 Create an event when a writable file is closed.
170 Create an event when a read-only file or directory is closed.
173 Create an event when a file or directory is opened.
175 .BR FAN_OPEN_EXEC " (since Linux 5.0)"
176 .\" commit 9b076f1c0f4869b838a1b7aa0edb5664d47ec8aa
177 Create an event when a file is opened with the intent to be executed.
178 See NOTES for additional details.
180 .BR FAN_ATTRIB " (since Linux 5.1)"
181 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
182 Create an event when the metadata for a file or directory has changed.
183 An fanotify group that identifies filesystem objects by file handles
186 .BR FAN_CREATE " (since Linux 5.1)"
187 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
188 Create an event when a file or directory has been created in a marked
190 An fanotify group that identifies filesystem objects by file handles
193 .BR FAN_DELETE " (since Linux 5.1)"
194 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
195 Create an event when a file or directory has been deleted in a marked
197 An fanotify group that identifies filesystem objects by file handles
200 .BR FAN_DELETE_SELF " (since Linux 5.1)"
201 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
202 Create an event when a marked file or directory itself is deleted.
203 An fanotify group that identifies filesystem objects by file handles
206 .BR FAN_FS_ERROR " (since Linux 5.16)"
207 .\" commit 9709bd548f11a092d124698118013f66e1740f9b
208 Create an event when a filesystem error
209 leading to inconsistent filesystem metadata is detected.
210 An additional information record of type
211 .B FAN_EVENT_INFO_TYPE_ERROR
212 is returned for each event in the read buffer.
213 An fanotify group that identifies filesystem objects by file handles
216 Events of such type are dependent on support
217 from the underlying filesystem.
218 At the time of writing,
227 for additional details.
229 .BR FAN_MOVED_FROM " (since Linux 5.1)"
230 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
231 Create an event when a file or directory has been moved from a marked
233 An fanotify group that identifies filesystem objects by file handles
236 .BR FAN_MOVED_TO " (since Linux 5.1)"
237 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
238 Create an event when a file or directory has been moved to a marked parent
240 An fanotify group that identifies filesystem objects by file handles
243 .BR FAN_RENAME " (since Linux 5.17)"
244 .\" commit 8cc3b1ccd930fe6971e1527f0c4f1bdc8cb56026
245 This event contains the same information provided by events
249 however is represented by a single event with up to two information records.
250 An fanotify group that identifies filesystem objects by file handles
252 If the filesystem object to be marked is not a directory, the error
256 .BR FAN_MOVE_SELF " (since Linux 5.1)"
257 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
258 Create an event when a marked file or directory itself has been moved.
259 An fanotify group that identifies filesystem objects by file handles
263 Create an event when a permission to open a file or directory is requested.
264 An fanotify file descriptor created with
265 .B FAN_CLASS_PRE_CONTENT
270 .BR FAN_OPEN_EXEC_PERM " (since Linux 5.0)"
271 .\" commit 66917a3130f218dcef9eeab4fd11a71cd00cd7c9
272 Create an event when a permission to open a file for execution is
274 An fanotify file descriptor created with
275 .B FAN_CLASS_PRE_CONTENT
279 See NOTES for additional details.
282 Create an event when a permission to read a file or directory is requested.
283 An fanotify file descriptor created with
284 .B FAN_CLASS_PRE_CONTENT
290 Create events for directories\(emfor example, when
296 Without this flag, events are created only for files.
297 In the context of directory entry events, such as
305 is required in order to create events when subdirectory entries are
310 .B FAN_EVENT_ON_CHILD
311 Events for the immediate children of marked directories shall be created.
312 The flag has no effect when marking mounts and filesystems.
313 Note that events are not generated for children of the subdirectories
314 of marked directories.
315 More specifically, the directory entry modification events
321 are not generated for any entry modifications performed inside subdirectories
322 of marked directories.
327 are not generated for children of marked directories.
328 To monitor complete directory trees it is necessary to mark the relevant
331 The following composed values are defined:
335 .RB ( FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE ).
338 A file or directory has been moved
339 .RB ( FAN_MOVED_FROM | FAN_MOVED_TO ).
341 The filesystem object to be marked is determined by the file descriptor
343 and the pathname specified in
350 defines the filesystem object to be marked.
356 takes the special value
358 the current working directory is to be marked.
362 is absolute, it defines the filesystem object to be marked, and
370 does not have the value
372 then the filesystem object to be marked is determined by interpreting
374 relative the directory referred to by
383 then the filesystem object to be marked is determined by interpreting
385 relative to the current working directory.
388 for an explanation of why the
395 On error, \-1 is returned, and
397 is set to indicate the error.
401 An invalid file descriptor was passed in
410 nor a valid file descriptor.
413 An invalid value was passed in
419 was not an fanotify file descriptor.
422 The fanotify file descriptor was opened with
424 or the fanotify group identifies filesystem objects by file handles
425 and mask contains a flag for permission events
428 .BR FAN_ACCESS_PERM ).
431 The group was initialized without
433 but one or more event types specified in the
438 The filesystem object indicated by
440 is not associated with a filesystem that supports
448 .\" commit 59cda49ecf6c9a32fae4942420701b6e087204f6
449 This error can be returned only with an fanotify group that identifies
450 filesystem objects by file handles.
453 The filesystem object indicated by
458 This error also occurs when trying to remove a mark from an object
462 The necessary memory could not be allocated.
465 The number of marks for this user exceeds the limit and the
466 .B FAN_UNLIMITED_MARKS
467 flag was not specified when the fanotify file descriptor was created with
468 .BR fanotify_init (2).
471 for details about this limit.
474 This kernel does not implement
475 .BR fanotify_mark ().
476 The fanotify API is available only if the kernel was configured with
477 .BR CONFIG_FANOTIFY .
482 .BR FAN_MARK_ONLYDIR ,
487 do not specify a directory.
497 do not specify a directory.
500 The fanotify group was initialized with flag
501 .BR FAN_REPORT_TARGET_FID ,
503 contains directory entry modification events
507 or directory event flags
510 .BR FAN_EVENT_ON_CHILD ),
515 do not specify a directory.
518 The object indicated by
520 is associated with a filesystem that does not support the encoding of file
522 This error can be returned only with an fanotify group that identifies
523 filesystem objects by file handles.
526 The operation is not permitted because the caller lacks a required capability.
529 The filesystem object indicated by
531 resides within a filesystem subvolume (e.g.,
533 which uses a different
535 than its root superblock.
536 This error can be returned only with an fanotify group that identifies
537 filesystem objects by file handles.
540 was introduced in version 2.6.36 of the Linux kernel and enabled in version
543 This system call is Linux-specific.
545 .SS FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM
549 .B FAN_OPEN_EXEC_PERM
552 events of these types will be returned only when the direct execution of a
554 More specifically, this means that events of these types will be generated
555 for files that are opened using
560 Events of these types will not be raised in the situation where an
561 interpreter is passed (or reads) a file for interpretation.
563 Additionally, if a mark has also been placed on the Linux dynamic
564 linker, a user should also expect to receive an event for it when
565 an ELF object has been successfully opened using
570 For example, if the following ELF binary were to be invoked and a
572 mark has been placed on /:
580 The listening application in this case would receive
582 events for both the ELF binary and interpreter, respectively:
587 /lib64/ld\-linux\-x86\-64.so.2
591 The following bugs were present in Linux kernels before version 3.16:
593 .\" Fixed by commit 0a8dd2db579f7a0ac7033d6b857c3d5dbaa77563
601 must specify a valid filesystem object, even though this object is not used.
603 .\" Fixed by commit d4c7cf6cffb1bc711a833b5e304ba5bcfe76398b
609 .\" Fixed by commit cc299a98eb13a9853675a9cbb90b30b4011e1406
615 is not checked for invalid values.
617 .BR fanotify_init (2),