I used the example of the fanotify manpage to get all paths, where an file-access occured. But i only want the file-access monitored from one specific folder e.g. /tmp/myfolder.
For that i add my specific folder "/tmp/myfolder":
fanotify_mark(fd,
FAN_MARK_ADD | FAN_MARK_MOUNT,
event_mask,
AT_FDCWD,
"/tmp/myfolder")))
Event mask:
static uint64_t event_mask = (FAN_OPEN |
FAN_EVENT_ON_CHILD);
Even i play with FAN_ONDIR for get only the file-accesses from this special directory, i ever get all filehandles from the whole filesystem. I start my compiled program with sudo ./program.
Try removing FAN_MARK_MOUNT. That may be telling it to give you all events for the mounted filesystem containing the path.