According to this, fanotify has “the possibility to read or modify files before access by other applications”. However, I can't find any example showing how this can be done. From what I understand, fanotify is used for event monitoring and can only modify fanotify mark.
So my question is can fanotify modify files? If yes, how can it be done?
The user of fanotify can modify the file before an application accesses it. But this doesn't happen through fanotify. You access and modify the actual file, you aren't presenting a different view to the application.
When you're getting permission events through fanotify, the file access operation remains blocked until you reply to the fanotify interface. While the application is blocked, you can do whatever you want, including reading and modifying the file that the application wanted to access. Once you've sent back the response to the fanotify permission event, assuming that it's a positive response, the application will access the file and find it in the state that you may have modified.
Note that only open (and access) trigger permission events, not read and write. So with fanotify, you can intercept file opening, but you can only monitor subsequent access to the file data.