fanotify_init - initialize fanotify handle


The fanotify_init() system call initializes the fanotify handle, which is used to register fanotify events and mark paths and files to be monitored with the fanotify_mark system call. This call allocates the required structures, sets the given flags and allocates an event queue.

A fanotify handle can be used to monitor events in multiple directories by calling the fanotify_mark system call and the returned file descriptor can be monitored with select(), poll() or epoll_wait().

The flags used in fanotify_init determine the behavior of the fanotify handle. Some of the available flags are FAN_CLOEXEC, FAN_NONBLOCK and FAN_UNLIMITED_QUEUE.


  • flags:unsigned int[K] - set of flags used to determine the behavior of the fanotify handle.
  • event_f_flags:unsigned int[K] - set of event flags used to select the events to report to the fanotify handle.

Available Tags

  • K - Originated from kernel-space.






To monitor events related to fanotify_init.

Example Use Case

A monitoring tool could use fanotify_init to create handles which it can then use to monitor files and directories for any changes and act on them.


There is a known issue that fanotify_init does not support 64-bit arguments.

  • fanotify_mark - set up fanotify notification
  • fanotify_close - close fanotify notification

