Hi,
i'm maintaining a kernel patch which is monitoring file system activity
underneath a special directory tree and reporting occuring events via a
character device to userland where it is processed.
Right now, this patch works via a number of hooks in fs/read-write.c and
fs/namei.c.
This is not really efficient at the moment because this way I get an event for
any written block and not per file which can slow things down a lot.
A couple of days ago I heard rumours about a new feature in 2.6.10 which will
be exactly for this kind of purpose. Some kind of monitor frameworks that can
generate events for all sorts of things. Sorry, I don't know any more about
it.
Is that true?
Would that be suitable for my task?
And where can I get information about it?
Greetings...
Stephan
>Hi,
>
>i'm maintaining a kernel patch which is monitoring file system activity
>underneath a special directory tree and reporting occuring events via a
>character device to userland where it is processed.
>Right now, this patch works via a number of hooks in fs/read-write.c and
>fs/namei.c.
>This is not really efficient at the moment because this way I get an event for
>any written block and not per file which can slow things down a lot.
>A couple of days ago I heard rumours about a new feature in 2.6.10 which will
>be exactly for this kind of purpose. Some kind of monitor frameworks that can
>generate events for all sorts of things. Sorry, I don't know any more about
>it.
Wasnot it called System Call Auditing and/or Filesystem hooks?
>Is that true?
>Would that be suitable for my task?
>And where can I get information about it?
One or the other was present in SUSE's 2.4.20/.21 kernels and one is in 2.6.x
-- and from what I have seen, they're just hooks, i.e.
if(hook != NULL) { hook(fd, buf, size); }
That's the most efficient thing you can have (in a function). It's only a
question whether it is in the right function, then.
Jan Engelhardt
--
Gesellschaft für Wissenschaftliche Datenverarbeitung
Am Fassberg, 37077 Göttingen, http://www.gwdg.de
Am Montag, 15. November 2004 11:23 schrieb Jan Engelhardt:
> > will be exactly for this kind of purpose. Some kind of monitor frameworks
> > that can generate events for all sorts of things. Sorry, I don't know any
> > more about it.
>
> Wasnot it called System Call Auditing and/or Filesystem hooks?
Well, that's what I'd like to know.
System Call Auditing just yielded a few google results but it doesn't seem to
me like a well documented feature. More like people asking for it.
> One or the other was present in SUSE's 2.4.20/.21 kernels and one is in
> 2.6.x -- and from what I have seen, they're just hooks, i.e.
>
> if(hook != NULL) { hook(fd, buf, size); }
>
> That's the most efficient thing you can have (in a function). It's only a
> question whether it is in the right function, then.
Indeed.
And just that made me hope there is something like an auditing or monitoring
framework just like for instance a accessible struct with several function
pointers where one could insert funtions to be processed whenever event x
occurs. This kind of thing yould be maintained by the kernel developers who
could put the hook just in the right place and the 'user' (which would be me
in that case) could be sure that his function would be called in the right
time and from the right place.
That would be nice.
Greetings...
Stephan
Am Montag, 15. November 2004 11:42 schrieb Stephan Menzel:
> > Wasnot it called System Call Auditing and/or Filesystem hooks?
>
> Well, that's what I'd like to know.
And I just found an answer:
inotify. http://lwn.net/Articles/104312/
That looks fine to me.
What happened to this? It's not in the vanilla 2.6.9 as far as I can see. Will
it be in 2.6.10?
Greetings...
Stephan
On Mon, 15 Nov 2004 13:44:50 +0100, Stephan Menzel
<[email protected]> wrote:
> Am Montag, 15. November 2004 11:42 schrieb Stephan Menzel:
> > > Wasnot it called System Call Auditing and/or Filesystem hooks?
> >
> > Well, that's what I'd like to know.
>
> And I just found an answer:
>
> inotify. http://lwn.net/Articles/104312/
> That looks fine to me.
> What happened to this? It's not in the vanilla 2.6.9 as far as I can see. Will
> it be in 2.6.10?
Yes, it's already in the -bk snapshot.
--
Paolo
Personal home page: http://www.ciarrocchi.tk
Picasa users groups: http://www.picasa-users.tk
join the blog group: http://groups-beta.google.com/group/blog-users