Skip to content

unlinkat

Intro

unlinkat - system call that deletes a file name, relative to an open directory

Description

unlinkat is a system call that deletes a file name, relative to an open directory. The purpose of unlinkat is to provide a more secure and robust way to delete a file than the remove() syscall, as it allows users to avoid race conditions while deleting a file.

Unlinkat also allows a user to delete links without traversing whole directory hierarchies, by providing the location of the file (directory) and its name as two separate arguments.

Arguments

  • dirfd:int[K] - an open file descriptor referring to a directory.
  • pathname:const char*[KU] - a string containing the name of the file to be deleted, relative to the directory referred to by dirfd.
  • flags:int[K] - optional flags that can include AT_REMOVEDIR.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_unlinkat

Type

Tracepoint

Purpose

To monitor file deletions.

Example Use Case

Finding malicious file deletions.

Issues

unlinkat is vulnerable to TOCTOU (time of check, time of use) attacks.

unlink(), remove(), readlinkat(), openat()

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.