umount2¶

Intro¶

umount2 - system call used to unmount a filesystem.

Description¶

The umount2() system call is used to unmount a filesystem from the target directory. It requires the mountpoint directory and an additional set of flags to indicate if the umount should be cascaded or not. The usefulness of this system call is that it allows for more control in the filesystem, allowing a more fine grain unmounting of a filesystem.

There are, however, a few drawbacks associated with using the umount2() system call. Not all filesystems are supported, and some could fail due to different implementation. Additionally, there is no default action, requiring the user to provide the needed flags for an unmount operation.

Arguments¶

target:const char*[K] - the directory mountpoint from which the filesystem should be unmounted.
flags:int[K] - the flags used in the unmounting operation.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

sys_umount2¶

Type¶

Kprobe + Kretprobe.

Purpose¶

To collect the arguments and return the unmounting operation results of the umount2() system call.

Example Use Case¶

A common use case for umount2() is when the user needs to unmount a filesystem and wants more control on the unmounting operation.

Issues¶

One downside of umount2() is that no default action is taken. The user must specify the flags so that the operation is successful.

mount2 - the system call used to mount a filesystem.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.