From mboxrd@z Thu Jan  1 00:00:00 1970
From: Vasily Novikov <vasily.novikov@kaspersky.com>
Subject: Re: [malware-list] A few concerns about fanotify implementation.
Date: Tue, 7 Jun 2011 16:35:10 +0400
Message-ID: <4DEE1AFE.6030107@kaspersky.com>
References: <1288095195.29745.4010.camel@novikov-v>				<201010261358.46974.tvrtko.ursulin@sophos.com>				<1288169699.7715.103.camel@novikov-v>			<1288195134.2655.202.camel@localhost.localdomain>		 <4DE8ACAD.2080003@kaspersky.com>		 <C511438CDC161C41B3C47B91D99ABA8D37B4B42114@UK-EXCHMBX1.green.sophos>		 <4DEC9B86.6060506@kaspersky.com>	 <1307367787.2052.6.camel@localhost.localdomain>	 <4DECE76E.4060507@kaspersky.com> <1307375593.2052.7.camel@localhost.localdomain>
Mime-Version: 1.0
Content-Type: text/plain; charset="UTF-8"; format=flowed
Content-Transfer-Encoding: 7bit
Cc: Douglas Leeder <douglas.leeder@sophos.com>,
	"linux-fsdevel@vger.kernel.org" <linux-fsdevel@vger.kernel.org>,
	"malware-list@dmesg.printk.net" <malware-list@dmesg.printk.net>
To: Eric Paris <eparis@redhat.com>
Return-path: <linux-fsdevel-owner@vger.kernel.org>
Received: from relay3.kaspersky-labs.com ([91.103.66.246]:63832 "EHLO
	relay3.kaspersky-labs.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752073Ab1FGMc5 (ORCPT
	<rfc822;linux-fsdevel@vger.kernel.org>);
	Tue, 7 Jun 2011 08:32:57 -0400
Received: from relay3.kaspersky-labs.com (localhost [127.0.0.1])
	by mx3.kaspersky-labs.com (Postfix) with ESMTP id A33E040217CC
	for <linux-fsdevel@vger.kernel.org>; Tue,  7 Jun 2011 16:32:55 +0400 (MSD)
Received: from kas30pipe.localhost (localhost [127.0.0.1])
	by mx3.kaspersky-labs.com (Postfix) with ESMTP id 55BF140217AD
	for <linux-fsdevel@vger.kernel.org>; Tue,  7 Jun 2011 16:32:55 +0400 (MSD)
In-Reply-To: <1307375593.2052.7.camel@localhost.localdomain>
Sender: linux-fsdevel-owner@vger.kernel.org
List-ID: <linux-fsdevel.vger.kernel.org>

Eric,

>> So if we use marks with only 'ignored' events then under memory pressure
>> mm subsystem will shrink inode cache that will free our marks and
>> therefore it's safe to use FAN_UNLIMITED_MARKS in this case?
>> If it really works then we don't need LRU cache in fanotify because it's
>> already implemented in dentry_cache/inode_cache.
>
> That's how it's supposed to work.  Just remember, if you set a real
> event, the inode becomes pinned in core and the mm will be unable to
> evict either the inode or the mark.

It really works) On machine with 2GB ram it holds no more than about 
3500000 'ignored' marks in 10 groups. After that it begins to evict LRU 
files. So it completely satisfies our needs.

What you think about clearing ignored mask not only on FS_MODIFY but 
also on FS_ATTRIB and FS_MOVE_SELF?

-- 
Best regards,

Vasily Novikov | Software developer | Kaspersky Lab

Direct: +7 495 123 45 67 x2344 | Mobile: +7 964 786 44 82 | 
vasily.novikov@kaspersky.com
10/1, 1st Volokolamsky Proezd, Moscow, 123060, Russia | 
www.kaspersky.com,  www.securelist.com