1 .\" Copyright (C) 2013, Heinrich Schuchardt <xypron.glpk@gmx.de>
3 .\" SPDX-License-Identifier: Linux-man-pages-copyleft
4 .TH FANOTIFY_MARK 2 (date) "Linux man-pages (unreleased)"
6 fanotify_mark \- add, remove, or modify an fanotify mark on a filesystem
10 .RI ( libc ", " \-lc )
13 .B #include <sys/fanotify.h>
15 .BI "int fanotify_mark(int " fanotify_fd ", unsigned int " flags ,
16 .BI " uint64_t " mask ", int " dirfd \
17 ", const char *" pathname );
20 For an overview of the fanotify API, see
24 adds, removes, or modifies an fanotify mark on a filesystem object.
25 The caller must have read permission on the filesystem object that
30 argument is a file descriptor returned by
31 .BR fanotify_init (2).
34 is a bit mask describing the modification to perform.
35 It must include exactly one of the following values:
40 will be added to the mark mask (or to the ignore mask).
42 must be nonempty or the error
47 The events in argument
49 will be removed from the mark mask (or from the ignore mask).
51 must be nonempty or the error
56 Remove either all marks for filesystems, all marks for mounts, or all
57 marks for directories and files from the fanotify group.
62 all marks for mounts are removed from the group.
66 .BR FAN_MARK_FILESYSTEM ,
67 all marks for filesystems are removed from the group.
68 Otherwise, all marks for directories and files are removed.
69 No flag other than, and at most one of, the flags
72 .B FAN_MARK_FILESYSTEM
73 can be used in conjunction with
78 If none of the values above is specified, or more than one is specified,
79 the call fails with the error
83 zero or more of the following values may be ORed into
86 .B FAN_MARK_DONT_FOLLOW
89 is a symbolic link, mark the link itself, rather than the file to which it
95 if it is a symbolic link.)
98 If the filesystem object to be marked is not a directory, the error
103 Mark the mount specified by
107 is not itself a mount point, the mount containing
110 All directories, subdirectories, and the contained files of the mount
112 The events which require that filesystem objects are identified by file handles,
118 .BR FAN_DELETE_SELF ,
119 cannot be provided as a
125 Attempting to do so will result in the error
128 Use of this flag requires the
132 .BR FAN_MARK_FILESYSTEM " (since Linux 4.20)"
133 .\" commit d54f4fba889b205e9cd8239182ca5d27d0ac3bc2
134 Mark the filesystem specified by
136 The filesystem containing
139 All the contained files and directories of the filesystem from any mount
140 point will be monitored.
141 Use of this flag requires the
145 .B FAN_MARK_IGNORED_MASK
148 shall be added to or removed from the ignore mask.
152 .B FAN_EVENT_ON_CHILD
153 have no effect when provided with this flag.
154 The effect of setting the flags
157 .B FAN_EVENT_ON_CHILD
159 on the events that are set in the ignore mask
160 is undefined and depends on the Linux kernel version.
161 Specifically, prior to Linux 5.9,
162 .\" commit 497b0c5a7c0688c1b100a9c2e267337f677c198e
163 setting a mark mask on a file
164 and a mark with ignore mask on its parent directory
165 would not result in ignoring events on the file,
167 .B FAN_EVENT_ON_CHILD
168 flag in the parent directory's mark mask.
169 When the ignore mask is updated with the
170 .B FAN_MARK_IGNORED_MASK
172 on a mark that was previously updated with the
175 the update fails with
179 .BR FAN_MARK_IGNORE " (since Linux 6.0)"
180 .\" commit e252f2ed1c8c6c3884ab5dd34e003ed21f1fe6e0
181 This flag has a similar effect as setting the
182 .B FAN_MARK_IGNORED_MASK
186 shall be added to or removed from the ignore mask.
188 .B FAN_MARK_IGNORED_MASK
190 this flag also has the effect that the
193 .B FAN_EVENT_ON_CHILD
194 flags take effect on the ignore mask.
195 Specifically, unless the
198 .BR FAN_MARK_IGNORE ,
199 events on directories will not be ignored.
201 .B FAN_EVENT_ON_CHILD
203 .BR FAN_MARK_IGNORE ,
204 events on children will be ignored.
206 a mark on a directory with combination of
213 and an ignore mask with
219 will result in getting only
220 the events for creation of sub-directories.
223 flag to add to an ignore mask
226 or directory inode mark,
228 .B FAN_MARK_IGNORED_SURV_MODIFY
229 flag must be specified.
230 Failure to do so will results with
236 .B FAN_MARK_IGNORED_SURV_MODIFY
237 The ignore mask shall survive modify events.
238 If this flag is not set,
239 the ignore mask is cleared when a modify event occurs
240 on the marked object.
241 Omitting this flag is typically used to suppress events
245 until that specific file's content has been modified.
246 It is far less useful to suppress events
247 on an entire filesystem,
249 or on all files inside a directory,
250 until some file's content has been modified.
255 .B FAN_MARK_IGNORED_SURV_MODIFY
258 or directory inode mark.
259 This flag cannot be removed from a mark once set.
260 When the ignore mask is updated without this flag
261 on a mark that was previously updated with the
264 .B FAN_MARK_IGNORED_SURV_MODIFY
266 the update fails with
270 .B FAN_MARK_IGNORE_SURV
271 This is a synonym for
272 .RB ( FAN_MARK_IGNORE | FAN_MARK_IGNORED_SURV_MODIFY ).
274 .BR FAN_MARK_EVICTABLE " (since Linux 5.19)"
275 .\" commit 5f9d3bd520261fd7a850818c71809fd580e0f30c
276 When an inode mark is created with this flag,
277 the inode object will not be pinned to the inode cache,
279 allowing the inode object to be evicted from the inode cache
280 when the memory pressure on the system is high.
281 The eviction of the inode object
282 results in the evictable mark also being lost.
283 When the mask of an evictable inode mark is updated
285 .B FAN_MARK_EVICATBLE
287 the marked inode is pinned to inode cache
288 and the mark is no longer evictable.
289 When the mask of a non-evictable inode mark is updated
291 .B FAN_MARK_EVICTABLE
293 the inode mark remains non-evictable
294 and the update fails with
297 Mounts and filesystems are not evictable objects,
299 an attempt to create a mount mark or a filesystem mark
301 .B FAN_MARK_EVICTABLE
303 will result in the error
306 inode marks can be used in combination with mount marks
307 to reduce the amount of events from noninteresting paths.
308 The event listener reads events,
309 checks if the path reported in the event is of interest,
311 the listener sets a mark with an ignore mask on the directory.
312 Evictable inode marks allow using this method for a large number of directories
313 without the concern of pinning all inodes and exhausting the system's memory.
316 defines which events shall be listened for (or which shall be ignored).
317 It is a bit mask composed of the following values:
320 Create an event when a file or directory (but see BUGS) is accessed (read).
323 Create an event when a file is modified (write).
326 Create an event when a writable file is closed.
329 Create an event when a read-only file or directory is closed.
332 Create an event when a file or directory is opened.
334 .BR FAN_OPEN_EXEC " (since Linux 5.0)"
335 .\" commit 9b076f1c0f4869b838a1b7aa0edb5664d47ec8aa
336 Create an event when a file is opened with the intent to be executed.
337 See NOTES for additional details.
339 .BR FAN_ATTRIB " (since Linux 5.1)"
340 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
341 Create an event when the metadata for a file or directory has changed.
342 An fanotify group that identifies filesystem objects by file handles
345 .BR FAN_CREATE " (since Linux 5.1)"
346 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
347 Create an event when a file or directory has been created in a marked
349 An fanotify group that identifies filesystem objects by file handles
352 .BR FAN_DELETE " (since Linux 5.1)"
353 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
354 Create an event when a file or directory has been deleted in a marked
356 An fanotify group that identifies filesystem objects by file handles
359 .BR FAN_DELETE_SELF " (since Linux 5.1)"
360 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
361 Create an event when a marked file or directory itself is deleted.
362 An fanotify group that identifies filesystem objects by file handles
365 .BR FAN_FS_ERROR " (since Linux 5.16)"
366 .\" commit 9709bd548f11a092d124698118013f66e1740f9b
367 Create an event when a filesystem error
368 leading to inconsistent filesystem metadata is detected.
369 An additional information record of type
370 .B FAN_EVENT_INFO_TYPE_ERROR
371 is returned for each event in the read buffer.
372 An fanotify group that identifies filesystem objects by file handles
375 Events of such type are dependent on support
376 from the underlying filesystem.
377 At the time of writing,
386 for additional details.
388 .BR FAN_MOVED_FROM " (since Linux 5.1)"
389 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
390 Create an event when a file or directory has been moved from a marked
392 An fanotify group that identifies filesystem objects by file handles
395 .BR FAN_MOVED_TO " (since Linux 5.1)"
396 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
397 Create an event when a file or directory has been moved to a marked parent
399 An fanotify group that identifies filesystem objects by file handles
402 .BR FAN_RENAME " (since Linux 5.17)"
403 .\" commit 8cc3b1ccd930fe6971e1527f0c4f1bdc8cb56026
404 This event contains the same information provided by events
408 however is represented by a single event with up to two information records.
409 An fanotify group that identifies filesystem objects by file handles
411 If the filesystem object to be marked is not a directory, the error
415 .BR FAN_MOVE_SELF " (since Linux 5.1)"
416 .\" commit 235328d1fa4251c6dcb32351219bb553a58838d2
417 Create an event when a marked file or directory itself has been moved.
418 An fanotify group that identifies filesystem objects by file handles
422 Create an event when a permission to open a file or directory is requested.
423 An fanotify file descriptor created with
424 .B FAN_CLASS_PRE_CONTENT
429 .BR FAN_OPEN_EXEC_PERM " (since Linux 5.0)"
430 .\" commit 66917a3130f218dcef9eeab4fd11a71cd00cd7c9
431 Create an event when a permission to open a file for execution is
433 An fanotify file descriptor created with
434 .B FAN_CLASS_PRE_CONTENT
438 See NOTES for additional details.
441 Create an event when a permission to read a file or directory is requested.
442 An fanotify file descriptor created with
443 .B FAN_CLASS_PRE_CONTENT
449 Create events for directories\(emfor example, when
455 Without this flag, events are created only for files.
456 In the context of directory entry events, such as
464 is required in order to create events when subdirectory entries are
469 .B FAN_EVENT_ON_CHILD
470 Events for the immediate children of marked directories shall be created.
471 The flag has no effect when marking mounts and filesystems.
472 Note that events are not generated for children of the subdirectories
473 of marked directories.
474 More specifically, the directory entry modification events
480 are not generated for any entry modifications performed inside subdirectories
481 of marked directories.
486 are not generated for children of marked directories.
487 To monitor complete directory trees it is necessary to mark the relevant
490 The following composed values are defined:
494 .RB ( FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE ).
497 A file or directory has been moved
498 .RB ( FAN_MOVED_FROM | FAN_MOVED_TO ).
500 The filesystem object to be marked is determined by the file descriptor
502 and the pathname specified in
509 defines the filesystem object to be marked.
515 takes the special value
517 the current working directory is to be marked.
521 is absolute, it defines the filesystem object to be marked, and
529 does not have the value
531 then the filesystem object to be marked is determined by interpreting
533 relative the directory referred to by
542 then the filesystem object to be marked is determined by interpreting
544 relative to the current working directory.
547 for an explanation of why the
554 On error, \-1 is returned, and
556 is set to indicate the error.
560 An invalid file descriptor was passed in
569 nor a valid file descriptor.
572 The filesystem object indicated by
576 has a mark that was updated without the
577 .B FAN_MARK_EVICTABLE
579 and the user attempted to update the mark with
580 .B FAN_MARK_EVICTABLE
584 The filesystem object indicated by
588 has a mark that was updated with the
591 and the user attempted to update the mark with
592 .B FAN_MARK_IGNORED_MASK
596 The filesystem object indicated by
600 has a mark that was updated with the
603 .B FAN_MARK_IGNORED_SURV_MODIFY
605 and the user attempted to update the mark only with
610 An invalid value was passed in
616 was not an fanotify file descriptor.
619 The fanotify file descriptor was opened with
621 or the fanotify group identifies filesystem objects by file handles
622 and mask contains a flag for permission events
625 .BR FAN_ACCESS_PERM ).
628 The group was initialized without
630 but one or more event types specified in the
637 .BR FAN_MARK_IGNORE ,
641 .BR FAN_MARK_FILESYSTEM ,
643 .BR FAN_MARK_IGNORED_SURV_MODIFY .
648 .BR FAN_MARK_IGNORE ,
650 .BR FAN_MARK_IGNORED_SURV_MODIFY ,
658 The filesystem object indicated by
662 is not associated with a filesystem that supports
670 .\" commit 59cda49ecf6c9a32fae4942420701b6e087204f6
671 This error can be returned only with an fanotify group that identifies
672 filesystem objects by file handles.
675 The filesystem object indicated by
680 This error also occurs when trying to remove a mark from an object
684 The necessary memory could not be allocated.
687 The number of marks for this user exceeds the limit and the
688 .B FAN_UNLIMITED_MARKS
689 flag was not specified when the fanotify file descriptor was created with
690 .BR fanotify_init (2).
693 for details about this limit.
696 This kernel does not implement
697 .BR fanotify_mark ().
698 The fanotify API is available only if the kernel was configured with
699 .BR CONFIG_FANOTIFY .
704 .BR FAN_MARK_ONLYDIR ,
709 do not specify a directory.
719 do not specify a directory.
724 .BR FAN_MARK_IGNORE ,
725 or the fanotify group was initialized with flag
726 .BR FAN_REPORT_TARGET_FID ,
729 contains directory entry modification events
733 or directory event flags
736 .BR FAN_EVENT_ON_CHILD ),
741 do not specify a directory.
744 The object indicated by
746 is associated with a filesystem that does not support the encoding of file
748 This error can be returned only with an fanotify group that identifies
749 filesystem objects by file handles.
752 The operation is not permitted because the caller lacks a required capability.
755 The filesystem object indicated by
757 resides within a filesystem subvolume (e.g.,
759 which uses a different
761 than its root superblock.
762 This error can be returned only with an fanotify group that identifies
763 filesystem objects by file handles.
766 was introduced in version 2.6.36 of the Linux kernel and enabled in version
769 This system call is Linux-specific.
771 .SS FAN_OPEN_EXEC and FAN_OPEN_EXEC_PERM
775 .B FAN_OPEN_EXEC_PERM
778 events of these types will be returned only when the direct execution of a
780 More specifically, this means that events of these types will be generated
781 for files that are opened using
786 Events of these types will not be raised in the situation where an
787 interpreter is passed (or reads) a file for interpretation.
789 Additionally, if a mark has also been placed on the Linux dynamic
790 linker, a user should also expect to receive an event for it when
791 an ELF object has been successfully opened using
796 For example, if the following ELF binary were to be invoked and a
798 mark has been placed on /:
806 The listening application in this case would receive
808 events for both the ELF binary and interpreter, respectively:
813 /lib64/ld\-linux\-x86\-64.so.2
817 The following bugs were present in Linux kernels before version 3.16:
819 .\" Fixed by commit 0a8dd2db579f7a0ac7033d6b857c3d5dbaa77563
827 must specify a valid filesystem object, even though this object is not used.
829 .\" Fixed by commit d4c7cf6cffb1bc711a833b5e304ba5bcfe76398b
835 .\" Fixed by commit cc299a98eb13a9853675a9cbb90b30b4011e1406
841 is not checked for invalid values.
843 .BR fanotify_init (2),