1 .\" Copyright (C) 2013, Heinrich Schuchardt <xypron.glpk@gmx.de>
3 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
4 .TH FANOTIFY_MARK 2 2022-09-09 "Linux man-pages (unreleased)"
6 fanotify_mark \- add, remove, or modify an fanotify mark on a filesystem
10 .RI ( libc ", " \-lc )
13 .B #include <sys/fanotify.h>
15 .BI "int fanotify_mark(int " fanotify_fd ", unsigned int " flags ,
16 .BI " uint64_t " mask ", int " dirfd \
17 ", const char *" pathname );
20 For an overview of the fanotify API, see
24 adds, removes, or modifies an fanotify mark on a filesystem object.
25 The caller must have read permission on the filesystem object that
30 argument is a file descriptor returned by
31 .BR fanotify_init (2).
34 is a bit mask describing the modification to perform.
35 It must include exactly one of the following values:
40 will be added to the mark mask (or to the ignore mask).
42 must be nonempty or the error
47 The events in argument
49 will be removed from the mark mask (or from the ignore mask).
51 must be nonempty or the error
56 Remove either all marks for filesystems, all marks for mounts, or all
57 marks for directories and files from the fanotify group.
62 all marks for mounts are removed from the group.
66 .BR FAN_MARK_FILESYSTEM ,
67 all marks for filesystems are removed from the group.
68 Otherwise, all marks for directories and files are removed.
69 No flag other than, and at most one of, the flags
72 .B FAN_MARK_FILESYSTEM
73 can be used in conjunction with
78 If none of the values above is specified, or more than one is specified,
79 the call fails with the error
83 zero or more of the following values may be ORed into
86 .B FAN_MARK_DONT_FOLLOW
89 is a symbolic link, mark the link itself, rather than the file to which it
95 if it is a symbolic link.)
98 If the filesystem object to be marked is not a directory, the error
103 Mark the mount specified by
107 is not itself a mount point, the mount containing
110 All directories, subdirectories, and the contained files of the mount
112 The events which require that filesystem objects are identified by file handles,
118 .BR FAN_DELETE_SELF ,
119 cannot be provided as a
125 Attempting to do so will result in the error
128 Use of this flag requires the
132 .BR FAN_MARK_FILESYSTEM " (since Linux 4.20)"
133 .\" commit d54f4fba889b205e9cd8239182ca5d27d0ac3bc2
134 Mark the filesystem specified by
136 The filesystem containing
139 All the contained files and directories of the filesystem from any mount
140 point will be monitored.
141 Use of this flag requires the
145 .B FAN_MARK_IGNORED_MASK
148 shall be added to or removed from the ignore mask.
150 .B FAN_MARK_IGNORED_SURV_MODIFY
151 The ignore mask shall survive modify events.
152 If this flag is not set,
153 the ignore mask is cleared when a modify event occurs
154 for the ignored file or directory.
156 .BR FAN_MARK_EVICTABLE " (since Linux 5.19)"
157 .\" commit 5f9d3bd520261fd7a850818c71809fd580e0f30c
158 When an inode mark is created with this flag,
159 the inode object will not be pinned to the inode cache,
161 allowing the inode object to be evicted from the inode cache
162 when the memory pressure on the system is high.
163 The eviction of the inode object
164 results in the evictable mark also being lost.
165 When the mask of an evictable inode mark is updated
167 .B FAN_MARK_EVICATBLE
169 the marked inode is pinned to inode cache
170 and the mark is no longer evictable.
171 When the mask of a non-evictable inode mark is updated
173 .B FAN_MARK_EVICTABLE
175 the inode mark remains non-evictable
176 and the update fails with
179 Mounts and filesystems are not evictable objects,
181 an attempt to create a mount mark or a filesystem mark
183 .B FAN_MARK_EVICTABLE
185 will result in the error
188 inode marks can be used in combination with mount marks
189 to reduce the amount of events from noninteresting paths.
190 The event listener reads events,
191 checks if the path reported in the event is of interest,
193 the listener sets a mark with an ignore mask on the directory.
194 Evictable inode marks allow using this method for a large number of directories
195 without the concern of pinning all inodes and exhausting the system's memory.
198 defines which events shall be listened for (or which shall be ignored).
199 It is a bit mask composed of the following values:
202 Create an event when a file or directory (but see BUGS) is accessed (read).
205 Create an event when a file is modified (write).
208 Create an event when a writable file is closed.
211 Create an event when a read-only file or directory is closed.
214 Create an event when a file or directory is opened.
216 .BR FAN_OPEN_EXEC " (since Linux 5.0)"
217 .\" commit 9b076f1c0f4869b838a1b7aa0edb5664d47ec8aa
218 Create an event when a file is opened with the intent to be executed.
219 See NOTES for additional details.
221 .BR FAN_ATTRIB " (since Linux 5.1)"
222 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
223 Create an event when the metadata for a file or directory has changed.
224 An fanotify group that identifies filesystem objects by file handles
227 .BR FAN_CREATE " (since Linux 5.1)"
228 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
229 Create an event when a file or directory has been created in a marked
231 An fanotify group that identifies filesystem objects by file handles
234 .BR FAN_DELETE " (since Linux 5.1)"
235 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
236 Create an event when a file or directory has been deleted in a marked
238 An fanotify group that identifies filesystem objects by file handles
241 .BR FAN_DELETE_SELF " (since Linux 5.1)"
242 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
243 Create an event when a marked file or directory itself is deleted.
244 An fanotify group that identifies filesystem objects by file handles
247 .BR FAN_FS_ERROR " (since Linux 5.16)"
248 .\" commit 9709bd548f11a092d124698118013f66e1740f9b
249 Create an event when a filesystem error
250 leading to inconsistent filesystem metadata is detected.
251 An additional information record of type
252 .B FAN_EVENT_INFO_TYPE_ERROR
253 is returned for each event in the read buffer.
254 An fanotify group that identifies filesystem objects by file handles
257 Events of such type are dependent on support
258 from the underlying filesystem.
259 At the time of writing,
268 for additional details.
270 .BR FAN_MOVED_FROM " (since Linux 5.1)"
271 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
272 Create an event when a file or directory has been moved from a marked
274 An fanotify group that identifies filesystem objects by file handles
277 .BR FAN_MOVED_TO " (since Linux 5.1)"
278 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
279 Create an event when a file or directory has been moved to a marked parent
281 An fanotify group that identifies filesystem objects by file handles
284 .BR FAN_RENAME " (since Linux 5.17)"
285 .\" commit 8cc3b1ccd930fe6971e1527f0c4f1bdc8cb56026
286 This event contains the same information provided by events
290 however is represented by a single event with up to two information records.
291 An fanotify group that identifies filesystem objects by file handles
293 If the filesystem object to be marked is not a directory, the error
297 .BR FAN_MOVE_SELF " (since Linux 5.1)"
298 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
299 Create an event when a marked file or directory itself has been moved.
300 An fanotify group that identifies filesystem objects by file handles
304 Create an event when a permission to open a file or directory is requested.
305 An fanotify file descriptor created with
306 .B FAN_CLASS_PRE_CONTENT
311 .BR FAN_OPEN_EXEC_PERM " (since Linux 5.0)"
312 .\" commit 66917a3130f218dcef9eeab4fd11a71cd00cd7c9
313 Create an event when a permission to open a file for execution is
315 An fanotify file descriptor created with
316 .B FAN_CLASS_PRE_CONTENT
320 See NOTES for additional details.
323 Create an event when a permission to read a file or directory is requested.
324 An fanotify file descriptor created with
325 .B FAN_CLASS_PRE_CONTENT
331 Create events for directories\(emfor example, when
337 Without this flag, events are created only for files.
338 In the context of directory entry events, such as
346 is required in order to create events when subdirectory entries are
351 .B FAN_EVENT_ON_CHILD
352 Events for the immediate children of marked directories shall be created.
353 The flag has no effect when marking mounts and filesystems.
354 Note that events are not generated for children of the subdirectories
355 of marked directories.
356 More specifically, the directory entry modification events
362 are not generated for any entry modifications performed inside subdirectories
363 of marked directories.
368 are not generated for children of marked directories.
369 To monitor complete directory trees it is necessary to mark the relevant
372 The following composed values are defined:
376 .RB ( FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE ).
379 A file or directory has been moved
380 .RB ( FAN_MOVED_FROM | FAN_MOVED_TO ).
382 The filesystem object to be marked is determined by the file descriptor
384 and the pathname specified in
391 defines the filesystem object to be marked.
397 takes the special value
399 the current working directory is to be marked.
403 is absolute, it defines the filesystem object to be marked, and
411 does not have the value
413 then the filesystem object to be marked is determined by interpreting
415 relative the directory referred to by
424 then the filesystem object to be marked is determined by interpreting
426 relative to the current working directory.
429 for an explanation of why the
436 On error, \-1 is returned, and
438 is set to indicate the error.
442 An invalid file descriptor was passed in
451 nor a valid file descriptor.
454 The filesystem object indicated by
458 has a mark that was updated without the
459 .B FAN_MARK_EVICTABLE
461 and the user attempted to update the mark with
462 .B FAN_MARK_EVICTABLE
466 An invalid value was passed in
472 was not an fanotify file descriptor.
475 The fanotify file descriptor was opened with
477 or the fanotify group identifies filesystem objects by file handles
478 and mask contains a flag for permission events
481 .BR FAN_ACCESS_PERM ).
484 The group was initialized without
486 but one or more event types specified in the
491 The filesystem object indicated by
493 is not associated with a filesystem that supports
501 .\" commit 59cda49ecf6c9a32fae4942420701b6e087204f6
502 This error can be returned only with an fanotify group that identifies
503 filesystem objects by file handles.
506 The filesystem object indicated by
511 This error also occurs when trying to remove a mark from an object
515 The necessary memory could not be allocated.
518 The number of marks for this user exceeds the limit and the
519 .B FAN_UNLIMITED_MARKS
520 flag was not specified when the fanotify file descriptor was created with
521 .BR fanotify_init (2).
524 for details about this limit.
527 This kernel does not implement
528 .BR fanotify_mark ().
529 The fanotify API is available only if the kernel was configured with
530 .BR CONFIG_FANOTIFY .
535 .BR FAN_MARK_ONLYDIR ,
540 do not specify a directory.
550 do not specify a directory.
553 The fanotify group was initialized with flag
554 .BR FAN_REPORT_TARGET_FID ,
556 contains directory entry modification events
560 or directory event flags
563 .BR FAN_EVENT_ON_CHILD ),
568 do not specify a directory.
571 The object indicated by
573 is associated with a filesystem that does not support the encoding of file
575 This error can be returned only with an fanotify group that identifies
576 filesystem objects by file handles.
579 The operation is not permitted because the caller lacks a required capability.
582 The filesystem object indicated by
584 resides within a filesystem subvolume (e.g.,
586 which uses a different
588 than its root superblock.
589 This error can be returned only with an fanotify group that identifies
590 filesystem objects by file handles.
593 was introduced in version 2.6.36 of the Linux kernel and enabled in version
596 This system call is Linux-specific.
598 .SS FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM
602 .B FAN_OPEN_EXEC_PERM
605 events of these types will be returned only when the direct execution of a
607 More specifically, this means that events of these types will be generated
608 for files that are opened using
613 Events of these types will not be raised in the situation where an
614 interpreter is passed (or reads) a file for interpretation.
616 Additionally, if a mark has also been placed on the Linux dynamic
617 linker, a user should also expect to receive an event for it when
618 an ELF object has been successfully opened using
623 For example, if the following ELF binary were to be invoked and a
625 mark has been placed on /:
633 The listening application in this case would receive
635 events for both the ELF binary and interpreter, respectively:
640 /lib64/ld\-linux\-x86\-64.so.2
644 The following bugs were present in Linux kernels before version 3.16:
646 .\" Fixed by commit 0a8dd2db579f7a0ac7033d6b857c3d5dbaa77563
654 must specify a valid filesystem object, even though this object is not used.
656 .\" Fixed by commit d4c7cf6cffb1bc711a833b5e304ba5bcfe76398b
662 .\" Fixed by commit cc299a98eb13a9853675a9cbb90b30b4011e1406
668 is not checked for invalid values.
670 .BR fanotify_init (2),