Skip to content

fcntl

Intro

fcntl - Manipulates file descriptor

Description

The fcntl system call is used to manipulate a file descriptor. It can be used to read and modify the flags associated with a particular file descriptor, including changing the non-blocking status and closing the file descriptor. It can also be used to implement file locking, sharing file descriptors between processes, and more.

The function takes three arguments, a file descriptor fd, an action cmd, and an argument arg. Depending on the action, the argument may or may not be used and can contain various values.

Arguments

  • fd:int - The file descriptor to manipulate.
  • cmd:int - The type of operation to perform.
  • arg:unsigned long - An optional argument for some of the operations.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_fcntl

Type

Kprobe + Kretprobe.

Purpose

To trace all calls to sys_fcntl and return values.

Example Use Case

Tracking all attempts to change the non-blocking status of any file descriptor for debugging or security purposes.

Issues

None.

  • open
  • close
  • read
  • write
  • lseek

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.