Re: [RFC][PATCH 0/5] fanotify namespace monitoring

[Christian Brauner <brauner@kernel.org>]

On Sat, Mar 07, 2026 at 12:05:45PM +0100, Amir Goldstein wrote:
> Jan,
> 
> Similar to mount notifications and listmount(), this is the complementary
> part of listns().
> 
> The discussion about FAN_DELETE_SELF events for kernfs [1] for cgroup
> tree monitoring got me thinking that this sort of monitoring should not be
> tied to vfs inodes.
> 
> Monitoring the cgroups tree has some semantic nuances, but I am told by
> Christian, that similar requirement exists for monitoring namepsace tree,
> where the semantics w.r.t userns are more clear.
> 
> I prepared this RFC to see if it meets the requirements of userspace
> and think if that works, the solution could be extended to monitoring
> cgroup trees.
> 
> IMO monitoring namespace trees and monitoring filesystem objects do not
> need to be mixed in the same fanotify group, so I wanted to try using
> the high 32bits for event flags rather than wasting more event flags
> in low 32bit. I remember that I wanted to so that for mount monitoring
> events, but did not insist, so too bad.
> 
> However, the code for using the high 32bit in uapi is quite ugly and
> hackish ATM, so I kept it as a separate patch, that we can either throw
> away or improve later.
> 
> Christian/Lennart,
> 
> I had considered if doing "recursive watches" to get all events from
> descendant namepsaces is worth while and decided with myself that it was
> not.
> 
> Please let me know if this UAPI meets your requirements.

I think this looks great overall and is very useful as it allows to
monitor namespace events outside of bpf lsms. I agree with the
non-recursive design. You could generalize this approach by deriving the
watch from the namespace file descriptor? Then you can get notifications
for all types of namespaces.

If we ever want recursive watches, then we just need to add a separate
flag. This is only applicable to userns and pidns anyway.

I want to put another - crazier idea - in your head: Since pidfds are
file descriptors and now have the ability to persist information past
pidfd closure via struct pid->attr it is possible to allow fanotify
watches on pidfds.

I think that this opens up a crazy amount of possibilities that will be
tremendously useful - also would mean fsnotify outside of fs/ proper.
Just thinking on the spot: if you allow marking a pidfd it's super easy
to plumb exec notifications via fanotify on top of it. It's also easy to
monitor _all_ namespace events for a specific process via pidfds.

This obviously needs some thinking wrt security etc but I just want to
put the thought out there that the integration of pidfds and fanotify is
possible.