lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 3 Jan 2012 17:53:12 -0500
From:	Greg Freemyer <>
To:	Sushil Mantri <>
Subject: Re: A stackable filesystem to trace low level filesystem operations

On Tue, Jan 3, 2012 at 4:50 PM, Sushil Mantri <> wrote:
> Please read the following:
> On Tue, Jan 3, 2012 at 4:45 PM, Greg Freemyer <> wrote:
>> On Tue, Jan 3, 2012 at 4:20 PM, Sushil Mantri <> wrote:
>>> Hi All,
>>> Sorry but this isn't a ext4 specific question but a general filesystem question.
>>> I am looking for a way to track filesystem level operation like
>>> operation(read/write), filename, offset, size of read/write, pid of
>>> the requesting process. The goal of my project is to collect such
>>> traces and understand access usage of directories and more. I would
>>> like to filter other operation like open,close, etc and requests to
>>> procfs, etc. There was a stackable file system earlier called Tracefs.
>>> It isn't supported anymore though. The original paper can be found
>>> here:
>>> Can you please suggest me what is the best option i have. I am
>>> currently looking at SystemTap.
>>> Thanks,
>>> Sushil
>> I think you're looking for either inotify or fanotify.
> This will only notify me when an event occurs,but is doesn't provide
> tracing information. Further i think it will be very slow if i have to
> trace the whol filesystem

inotify  and fanotify can both be set to work one file at a time I'm
pretty sure.

ie. You can register to be notified only for specific files and their actions.

There are kernel space hooks for them both I think that allow your
kernel code to be called upon an event.  So if you want to create a
basic kernel log tracing package it should be easy enough.  (It may be
you need to use the fsnotify API directly for that.)

I don't know if patches for that are floating around.  Again, you
should ask on fs-devel, not here.

To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to
More majordomo info at

Powered by blists - more mailing lists