[PATCH 1/7] audit: convert audit watches to use fsnotify instead of inotify
Eric Paris
eparis at redhat.com
Tue Jun 16 15:43:58 UTC 2009
On Tue, 2009-06-16 at 12:25 -0300, Klaus Heinrich Kiwi wrote:
> On Fri, 2009-06-12 at 16:31 -0400, Eric Paris wrote:
> > Audit currently uses inotify to pin inodes in core and to detect when
> > watched inodes are deleted or unmounted. This patch uses fsnotify instead
> > of inotify.
> >
> > Signed-off-by: Eric Paris <eparis at redhat.com>
>
> Sorry for being lazy and not googling around, but what changes between
> inotify and fsnotify, specially in terms of filesystem auditing? Is
> there any performance/features/usability changes?
Basically, none. fsnotify is a new infrastructure on which inotify and
dnotify have been implemented. It is generic, much like the inotify.c
(as opposed to inotify_user.c) was supposed to be. But fsnotify is more
generic and better thought out.
The main drivers for fsnotify are:
1. smaller struct inode
2. equal performance (actually slightly better since we don't have to
run inotify and dnotify every time)
3. significantly better locking and object lifetime (see how much more
simple the audit watch locking gets with fsnotify in the next couple
patches?)
Note that audit watches don't use inotify to do any of the actual
auditing. They just use inotify to discover the watched files were
created or removed. So we weren't using much of the inotify feature
set.
So this patch does little but get me one step closing to kicking
inotify.c out of the kernel
-Eric
More information about the Linux-audit
mailing list