From mboxrd@z Thu Jan  1 00:00:00 1970
From: Eric Paris <eparis@redhat.com>
Subject: Re: [PATCH 1/7] audit: convert audit watches to use fsnotify
 instead of inotify
Date: Tue, 16 Jun 2009 11:43:58 -0400
Message-ID: <1245167038.2848.25.camel@localhost.localdomain>
References: <20090612203159.12332.42771.stgit@paris.rdu.redhat.com>
	<1245165908.4771.2.camel@klausk.localdomain>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <1245165908.4771.2.camel@klausk.localdomain>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Klaus Heinrich Kiwi <klausk@linux.vnet.ibm.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tue, 2009-06-16 at 12:25 -0300, Klaus Heinrich Kiwi wrote:
> On Fri, 2009-06-12 at 16:31 -0400, Eric Paris wrote:
> > Audit currently uses inotify to pin inodes in core and to detect when
> > watched inodes are deleted or unmounted.  This patch uses fsnotify instead
> > of inotify.
> >     
> > Signed-off-by: Eric Paris <eparis@redhat.com>
> 
> Sorry for being lazy and not googling around, but what changes between
> inotify and fsnotify, specially in terms of filesystem auditing? Is
> there any performance/features/usability changes?

Basically, none.  fsnotify is a new infrastructure on which inotify and
dnotify have been implemented.  It is generic, much like the inotify.c
(as opposed to inotify_user.c) was supposed to be.  But fsnotify is more
generic and better thought out.

The main drivers for fsnotify are:
1. smaller struct inode
2. equal performance (actually slightly better since we don't have to
run inotify and dnotify every time)
3. significantly better locking and object lifetime (see how much more
simple the audit watch locking gets with fsnotify in the next couple
patches?)

Note that audit watches don't use inotify to do any of the actual
auditing.  They just use inotify to discover the watched files were
created or removed.  So we weren't using much of the inotify feature
set.

So this patch does little but get me one step closing to kicking
inotify.c out of the kernel

-Eric