FileModified returns incorrect PID

[opcoder0]

The event / action fanotify.FileModified returns incorrect PID in the event. The PID returned is the parent process PID instead of the PID of the process that modified the file. The same has been verified by test TestWithCapSysAdmFanotifyFileModified.

=== RUN   TestWithCapSysAdmFanotifyFileModified
    fanotify_test.go:107: Watch Directory: /tmp/TestWithCapSysAdmFanotifyFileModified1468020745/001
    fanotify_test.go:117: Test file created /tmp/TestWithCapSysAdmFanotifyFileModified1468020745/001/test.dat
    fanotify_test.go:125: 
                Error Trace:    /home/opcoder0/src/fanotify/fanotify_test.go:125
                Error:          Not equal: 
                                expected: 10343
                                actual  : 10335
                Test:           TestWithCapSysAdmFanotifyFileModified
--- FAIL: TestWithCapSysAdmFanotifyFileModified (0.00s)

From the audit logs it can be observed that the PID returned is the parent process ID -

type=SYSCALL msg=audit(1670211986.334:1029188): arch=c000003e syscall=231 a0=0 a1=e7 a2=3c a3=7ffdf4c30c6f items=0 ppid=10335 pid=10343 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=2 comm="touch" exe="/usr/bin/touch" subj=unconfined key=(null)ARCH=x86_64 SYSCALL=exit_group AUID="opcoder0" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

[opcoder0]

A bug in the kernel could be causing this reporting error. Issue opened to track this https://bugzilla.kernel.org/show_bug.cgi?id=216775

[opcoder0]

The PID is from os.WriteFile. Moving the file creation above listener start fixes the PID issue