FANOTIFY_MARK(2) Linux Programmer's Manual FANOTIFY_MARK(2)NAMEfanotify_mark - add, remove, or modify a fanotify mark on a file system
object
SYNOPSIS
int fanotify_mark(int fanotify_fd, unsigned int flags,
int dfd, const char *pathname, u64 mask,
u64 ignored_mask);
DESCRIPTIONfanotify_mark is used to add remove or modify a mark on a filesystem
object. Marks are used to indicate that the fanotify group is inter‐
ested in events which occur on that object. At this point in time
marks may only be added to files and directories.
fanotify_fd must be a file descriptor returned by the fanotify_init(2)
system call.
The flags field must contain exactly one of the following:
FAN_MARK_ADD
OR the bits in mask and ignored_mask into the mark.
FAN_MARK_REMOVE
bitwise remove the bits in mask and ignored_mark from the mark.
The following values can be OR'd into the flags field:
FAN_MARK_DONT_FOLLOW
same meaning as O_NOFOLLOW as described in open(2).
FAN_MARK_ONLYDIR
same meaning as O_DIRECTORY as described in open(2).
dfd may be any other the following:
AT_FDCWD
the object will be lookup up based on pathname similar to
open(2). file descriptor of a directory if pathname is not NULL
the object to modify will be lookup up similar to openat(2).
file descriptor of the final object
if pathname is NULL, the object to modify will be the object
referenced by the dfd parameter.
The mask is the bitwise OR of the set of events of interest such as:
FAN_ACCESS
object was accessed (read)
FAN_MODIFY
object was modified (write)
FAN_CLOSE_WRITE
object was writable and was closed
FAN_CLOSE_NOWRITE
object was read only and was closed
FAN_OPEN
object was opened
FAN_EVENT_ON_CHILD
interested in objected that happen to children. Only relavent
when the object is a directory.
FAN_Q_OVERFLOW
event queue overflowed (not implemented)
The ignored mask is the opposite of the mask as if applied after the
mask. If FAN_OPEN is specified in both the mask and the ignored_mask no
event will be sent to userspace. This is not persently used but will be
used when more objects may be marked. Assume you marked a mount point
as something of interest. You could then add an ignored_mask entry on
individual inodes to get notification on everything in the mount point
except for a select few inodes.
RETURN VALUE
On success, this system call return a new file descriptor. On error, -1
is returned, and errno is set to indicate the error.
ERRORS
EINVAL An invalid value was specified in the flags argument.
EINVAL An invalid value was specified in the mask argument.
EINVAL An invalid value was specified in the ignored_mask argument.
EINVAL fanotify_fd is not a file descriptor as returned by fan‐
otify_init(2).
EBADF fanotify_fd is not a valid file descriptor.
EBADF dfd is not a valid file descriptor and path is NULL.
ENOTDIR
dfd is not a directory and path is not NULL.
EACCESS
You do not have search permission on the dfd.
EACCESS
No search permissions on some part of the path.
ENOENT File not found.
ENOMEM Insufficient kernel memory is available.
CONFORMING TO
These system calls are Linux-specific.
Linux 2011-09-08 FANOTIFY_MARK(2)