Menu
I have been studying inotify call, but I still a bit flaky when it comes to the read interface. These are the most relevant resourses I could find regarding how to properly interface with inotify using read(2):
They both implement it in the same way, they first define the following sizes:
#define EVENT_SIZE ( sizeof (struct inotify_event) )
#define BUF_LEN ( 1024 * ( EVENT_SIZE + 16 )
And then they use them in this manner:
length = read( fd, buffer, BUF_LEN );
if ( length < 0 ) {
perror( "read" );
}
while ( i < length ) {
struct inotify_event *event = ( struct inotify_event * ) &buffer[ i ];
/* some processing */
i += EVENT_SIZE + event->len;
}
Now, we know name is part of struct inotify_event and that it has variable length. So, couldn't the last inotify_event in buffer be truncated?
Suppose there is 1023 inotify_events with a path of 16 bytes and one with a path of 32 bytes. What will happen then? Will the later truncated? Or will the kernel see that it won't fit in the buffer and leave it all altogether?
973
As a conclusion of this article you should be aware of Inotify as an efficient way to trace events in the filesystem on Linux. Whereas polling introduces a delay in handling data the Inotify framework provides an option to handle, debug and monitor filesystem activities just as an event takes place.
With Inotify, anti-virus detectors re-scan the file system for modified files to detect if any malicious intrusions have occurred. This kind of applications use a user-space device through which Inotify events are triggered between the kernel and user-space applications.
DESCRIPTION top. The inotify API provides a mechanism for monitoring filesystem events. Inotify can be used to monitor individual files, or to monitor directories. When a directory is monitored, inotify will return events for the directory itself, and for files inside the directory.
inotify (inode notify) is a Linux kernel subsystem created by John McCutchan, which monitors changes to the filesystem, and reports those changes to applications. It can be used to automatically update directory views, reload configuration files, log changes, backup, synchronize, and upload.
According to inotify(7), you can use the FIONREAD ioctl to find out how much data is available to be read and size your buffer accordingly. Here's some (very rough) code that can accomplish this:
unsigned int avail;
ioctl(inotify_fd, FIONREAD, &avail);
char buffer[avail];
read(fd, buffer, avail);
int offset = 0;
while (offset < avail) {
struct inotify_event *event = (inotify_event*)(buffer + offset);
// Insert logic here
my_process_inotify_event(event);
offset = offset + sizeof(inotify_event) + event->len;
}
inotify-tools provides a higher-level interface to inotify. You can use it instead of accessing inotify, or you can see how it implements inotifytools_next_events to safely and robustly read all available events.
In response to your questions about truncation, I do not think that the kernel will ever return a partial inotify_event or truncate an inotify_event if the buffer given is too small for all events. The following paragraph from the inotify(7) manpage suggests this:
The behavior when the buffer given to read(2) is too small to return information about the next event depends on the kernel version: in kernels before 2.6.21, read(2) returns 0; since kernel 2.6.21, read(2) fails with the error EINVAL.
As do the following comments from inotifytools.c:
// oh... no. this can't be happening. An incomplete event.
// Copy what we currently have into first element, call self to
// read remainder.
// oh, and they BETTER NOT overlap.
// Boy I hope this code works.
// But I think this can never happen due to how inotify is written.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
