1FANOTIFY_INIT(2)           Linux Programmer's Manual          FANOTIFY_INIT(2)
2
3
4

NAME

6       fanotify_init - create and initialize fanotify group
7

SYNOPSIS

9       #include <fcntl.h>
10       #include <sys/fanotify.h>
11
12       int fanotify_init(unsigned int flags, unsigned int event_f_flags);
13

DESCRIPTION

15       For an overview of the fanotify API, see fanotify(7).
16
17       fanotify_init()  initializes  a  new  fanotify group and returns a file
18       descriptor for the event queue associated with the group.
19
20       The file descriptor is used in calls to fanotify_mark(2) to specify the
21       files,  directories, and mounts for which fanotify events shall be cre‐
22       ated.  These events are received by reading from the  file  descriptor.
23       Some  events  are  only  informative,  indicating  that a file has been
24       accessed.  Other events can be used to determine whether another appli‐
25       cation  is  permitted  to  access  a  file or directory.  Permission to
26       access filesystem objects is granted by writing to the file descriptor.
27
28       Multiple programs may be using the fanotify interface at the same  time
29       to monitor the same files.
30
31       In  the  current implementation, the number of fanotify groups per user
32       is limited to 128.  This limit cannot be overridden.
33
34       Calling fanotify_init() requires the  CAP_SYS_ADMIN  capability.   This
35       constraint  might be relaxed in future versions of the API.  Therefore,
36       certain additional capability checks have been implemented as indicated
37       below.
38
39       The flags argument contains a multi-bit field defining the notification
40       class of the listening application and further single bit fields speci‐
41       fying the behavior of the file descriptor.
42
43       If  multiple  listeners  for  permission events exist, the notification
44       class is used to establish the sequence in which the listeners  receive
45       the events.
46
47       Only  one  of  the  following  notification classes may be specified in
48       flags:
49
50       FAN_CLASS_PRE_CONTENT
51              This value allows the receipt of events notifying  that  a  file
52              has  been accessed and events for permission decisions if a file
53              may be accessed.  It is intended for event listeners  that  need
54              to  access  files  before  they  contain their final data.  This
55              notification class might be used by  hierarchical  storage  man‐
56              agers, for example.
57
58       FAN_CLASS_CONTENT
59              This  value  allows  the receipt of events notifying that a file
60              has been accessed and events for permission decisions if a  file
61              may  be  accessed.  It is intended for event listeners that need
62              to access files when they already contain their  final  content.
63              This  notification class might be used by malware detection pro‐
64              grams, for example.
65
66       FAN_CLASS_NOTIF
67              This is the default value.  It does not need  to  be  specified.
68              This  value  only  allows the receipt of events notifying that a
69              file has been accessed.  Permission decisions before the file is
70              accessed are not possible.
71
72       Listeners  with  different  notification classes will receive events in
73       the order  FAN_CLASS_PRE_CONTENT,  FAN_CLASS_CONTENT,  FAN_CLASS_NOTIF.
74       The  order of notification for listeners in the same notification class
75       is undefined.
76
77       The following bits can additionally be set in flags:
78
79       FAN_CLOEXEC
80              Set the close-on-exec flag (FD_CLOEXEC) on the new file descrip‐
81              tor.  See the description of the O_CLOEXEC flag in open(2).
82
83       FAN_NONBLOCK
84              Enable  the  nonblocking flag (O_NONBLOCK) for the file descrip‐
85              tor.  Reading from the file descriptor will not block.  Instead,
86              if no data is available, read(2) fails with the error EAGAIN.
87
88       FAN_UNLIMITED_QUEUE
89              Remove  the  limit  of 16384 events for the event queue.  Use of
90              this flag requires the CAP_SYS_ADMIN capability.
91
92       FAN_UNLIMITED_MARKS
93              Remove the limit of 8192 marks.  Use of this flag  requires  the
94              CAP_SYS_ADMIN capability.
95
96       The  event_f_flags  argument defines the file status flags that will be
97       set on the open file descriptions that are created for fanotify events.
98       For  details of these flags, see the description of the flags values in
99       open(2).  event_f_flags includes a multi-bit field for the access mode.
100       This field can take the following values:
101
102       O_RDONLY
103              This value allows only read access.
104
105       O_WRONLY
106              This value allows only write access.
107
108       O_RDWR This value allows read and write access.
109
110       Additional  bits  can  be set in event_f_flags.  The most useful values
111       are:
112
113       O_LARGEFILE
114              Enable support for files exceeding 2 GB.  Failing  to  set  this
115              flag  will  result  in  an EOVERFLOW error when trying to open a
116              large file which is monitored by an fanotify group on  a  32-bit
117              system.
118
119       O_CLOEXEC (since Linux 3.18)
120              Enable  the close-on-exec flag for the file descriptor.  See the
121              description of the O_CLOEXEC flag in  open(2)  for  reasons  why
122              this may be useful.
123
124       The  following are also allowable: O_APPEND, O_DSYNC, O_NOATIME, O_NON‐
125       BLOCK, and O_SYNC.  Specifying any other flag in  event_f_flags  yields
126       the error EINVAL (but see BUGS).
127

RETURN VALUE

129       On  success,  fanotify_init() returns a new file descriptor.  On error,
130       -1 is returned, and errno is set to indicate the error.
131

ERRORS

133       EINVAL An  invalid  value  was  passed  in  flags   or   event_f_flags.
134              FAN_ALL_INIT_FLAGS defines all allowable bits for flags.
135
136       EMFILE The number of fanotify groups for this user exceeds 128.
137
138       EMFILE The per-process limit on the number of open file descriptors has
139              been reached.
140
141       ENOMEM The allocation of memory for the notification group failed.
142
143       ENOSYS This kernel does not implement  fanotify_init().   The  fanotify
144              API  is  available  only  if the kernel was configured with CON‐
145              FIG_FANOTIFY.
146
147       EPERM  The operation is not permitted  because  the  caller  lacks  the
148              CAP_SYS_ADMIN capability.
149

VERSIONS

151       fanotify_init()  was  introduced  in version 2.6.36 of the Linux kernel
152       and enabled in version 2.6.37.
153

CONFORMING TO

155       This system call is Linux-specific.
156

BUGS

158       The following bug was present in Linux kernels before version 3.18:
159
160       *  The O_CLOEXEC is ignored when passed in event_f_flags.
161
162       The following bug was present in Linux kernels before version 3.14:
163
164       *  The event_f_flags argument is not checked for invalid flags.   Flags
165          that  are intended only for internal use, such as FMODE_EXEC, can be
166          set, and will consequently be set for the file descriptors  returned
167          when reading from the fanotify file descriptor.
168

SEE ALSO

170       fanotify_mark(2), fanotify(7)
171

COLOPHON

173       This  page  is  part of release 4.16 of the Linux man-pages project.  A
174       description of the project, information about reporting bugs,  and  the
175       latest     version     of     this    page,    can    be    found    at
176       https://www.kernel.org/doc/man-pages/.
177
178
179
180Linux                             2017-09-15                  FANOTIFY_INIT(2)
Impressum