Skip to content

inotify_init

Intro

inotify_init - creates and initializes an inotify event queue

Description

The inotify_init() system call is used to create an inotify event queue. Inotify event queues allow processes to monitor the file system for changes such as files being opened, deleted, or modified. Any process that has initiated a monitoring operation can be notified asynchronously when a monitored event occurs.

Inotify event queues are global and persist until explicitly closed by the process that created them; thus, inotify provides a means for tracking file changes across multiple processes. It is also useful for many other purposes such as detecting when a file is modified, deleted, or renamed.

One of the advantages of using inotify is that it is easy to set up and monitor events in multiple locations; however, its biggest drawback is that it can be quite CPU and I/O intensive as it is eagerly waiting for file system changes.

Arguments

  • flags: int - Flags from inotify_init.

Available Tags

  • K - Originated from kernel-space.

Hooks

do_sys_open

Type

kprobes

Purpose

To track the opening of files.

sys_inotify_init

Type

kprobes

Purpose

To track the inotify_init syscall.

Example Use Case

A use case for inotify might be tracking whether a specific list of files has been modified. A process can call inotify_init, then loop through the list of files and add a watch for each, then wait on the inotify event queue to be notified that a listed file has been modified.

Issues

Certain kernel features may cause inotify to miss events or provide false positives. For example, the kernel may prefetch files, set modification times, and provide optimistic file reads, all of which can lead to unexpected notifications.

  • inotify_add_watch – adds a watch to an existing inotify event queue
  • inotify_rm_watch – removes a watch from an existing inotify event queue

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.