A BPF Backend

[e-dant]

I've been toying with an (e)BPF filesystem watcher, here.

It was made out of some frustration with the filesystem watchers available on Linux. Namely:

• Both inotify and fanotify can drop events under load. That's fine, and under very heavy load, it is eventually unavoidable. But sometimes they fail to even say that they did drop an event.
• Both fanotify and inotify sometimes report strange events missing what should be required details. Most commonly, they're missing all their metadata, and the path is for something we aren't even watching. (I call these "phantom" events.)
• Both fanotify and inotify are limited to what kinds of file systems they can watch. Sometimes this makes sense. There's really no point in watching (most of) /proc (but some things would be nice). The sysfs would be really nice to have data on, though. Especially for security-oriented applications.
• Inotify is broadly supported but breaks down when you want to start watching a significant number of paths. It seems less efficient than fanotify (gh runners won't run fanotify tests, so the only data I have is local.)
• Fanotify doesn't work in some contexts that really ought to support it. Namely, lots of container runtimes don't allow the necessary system calls for fanotify to work.

So the bpf watcher was born.

For security-oriented applications that want to watch almost every filesystem on the disk, I think bpf is the way to go.

Fielding your thoughts. With some work, would it fit with this project?

[dfaust]

I don't have much time to work on this, but I find it very interesting.

My knowledge of BPF is limited, but I can image having additional notify-bpf-* crates tailored to specific use-cases. Similar to the debouncer crates.