Skip to content

execveat

Intro

execveat - execute a file in a directory relative to a directory file descriptor

Description

The execveat() system call executes the program referred to by the combination of dirfd and pathname. Pathname could either be an absolute pathname or a relative pathname, and dirfd could either be AT_FDCWD or a file descriptor corresponding to a directory. It is an analogous version of execve() which uses the current working directory.

The argument argv and envp are passed to the new program as its argument and environment respectively, and flags could be a combination of the AT_* flags provided by the identically named execve() system call.

Arguments

  • dirfd:int[KU] - file descriptor of the directory to use as a base, relative to which the pathname should be evaluated.
  • pathname:const char*[KU] - pathname of the program to execute.
  • argv:const char*const*[KU] - array of the arguments for the program, or NULL for none.
  • envp:const char*const*[KU] - array of environment variables for the program, or NULL for none.
  • flags:int[KU] - optional argument that could be combination of the AT_* flags provided by the identically named execve() system call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_execveat

Type

Kprobe

Purpose

Hook sys_execveat to capture and count the number of times various programs are started.

Example Use Case

An example of a use case for execveat is in an intrusion detection system. By hooking the system call and monitoring the arguments provided, malicious behavior could be detected and reported.

Issues

While the execveat system call is a useful tool, it is also susceptible to time-of-check-time-of-use (TOCTOU) race conditions.

Other exec events, such as execve and execveatv, are related to execveat. In addition, fork and clone could be useful in the context of execveat.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.