Linux文件事件监控之Fanotify [一] - 知乎 (zhihu.com)
| 文件系统事件 | Inotify | Fanotify |
|---|---|---|
| ACCESS | Y | Y |
| MODIFY | Y | Y |
| ATTRIB | Y | |
| CLOSE_WRITE | Y | Y |
| CLOSE_NOWRITE | Y | Y |
| OPEN | Y | Y |
| MOVED_FROM | Y | Linux 5.1 |
| MOVED_TO | Y | Linux 5.1 |
| CREATE | Y | |
| DELETE | Y | |
| DELETE_SELF | Y | |
| MOVE_SELF | Y | |
| UNMOUNT | Y | |
| OPEN_PERM(权限相关) | Y | |
| CCESS_PERM(权限相关) | Y |
FAN_ACCESS
A file or a directory (but see BUGS) was accessed (read).
FAN_OPEN
A file or a directory was opened.
FAN_OPEN_EXEC
A file was opened with the intent to be executed. See
NOTES in fanotify_mark(2) for additional details.
FAN_ATTRIB
A file or directory metadata was changed.
FAN_CREATE
A child file or directory was created in a watched parent.
FAN_DELETE
A child file or directory was deleted in a watched parent.
FAN_DELETE_SELF
A watched file or directory was deleted.
FAN_MOVED_FROM
A file or directory has been moved from a watched parent
directory.
FAN_MOVED_TO
A file or directory has been moved to a watched parent
directory.
FAN_MOVE_SELF
A watched file or directory was moved.
FAN_MODIFY
A file was modified.
FAN_CLOSE_WRITE
A file that was opened for writing (O_WRONLY or O_RDWR)
was closed.
FAN_CLOSE_NOWRITE
A file or directory that was opened read-only (O_RDONLY)
was closed.
FAN_Q_OVERFLOW
The event queue exceeded the limit of 16384 entries. This
limit can be overridden by specifying the
FAN_UNLIMITED_QUEUE flag when calling fanotify_init(2).
FAN_ACCESS_PERM
An application wants to read a file or directory, for
example using read(2) or readdir(2). The reader must
write a response (as described below) that determines
whether the permission to access the filesystem object
shall be granted.
FAN_OPEN_PERM
An application wants to open a file or directory. The
reader must write a response that determines whether the
permission to open the filesystem object shall be granted.
FAN_OPEN_EXEC_PERM
An application wants to open a file for execution. The
reader must write a response that determines whether the
permission to open the filesystem object for execution
shall be granted. See NOTES in fanotify_mark(2) for
additional details.
To check for any close event, the following bit mask may be used:
FAN_CLOSE
A file was closed. This is a synonym for:
FAN_CLOSE_WRITE | FAN_CLOSE_NOWRITE
To check for any move event, the following bit mask may be used:
FAN_MOVE
A file or directory was moved. This is a synonym for:
FAN_MOVED_FROM | FAN_MOVED_TO
The following bits may appear in mask only in conjunction with
other event type bits:
FAN_ONDIR
下列文章说道,inotify不可以监控文件是哪个进程修改,而fanortify可以,并且inotify也不能监控/proc,因为inotify监控inode