Skip to content

fgetxattr

Intro

fgetxattr - get a extended attribute value in a file or directory

Description

The fgetxattr() function retrieves the value of the extended attribute specified by name and associated with the file fd for the size of size bytes and places the result in value.

The name argument points to a null-terminated string. The fd argument is a file descriptor associated with an open file. The value argument is a pointer to a buffer that is at least size bytes in length. The size argument specifies the size of the buffer in bytes. Thus, if value points to a buffer that is too small a buffer to hold the value of the requested attribute, the size of the attribute is returned in size and no data is returned in value.

There are several noteworthy edge cases with fgetxattr(). First, fgetxattr() will not follow symbolic links. Second, when used on relative paths, the path will be interpreted relative to the directory indicated by the fd argument. Lastly, if the value argument is NULL or the size argument is 0, then the size of the attribute will be returned in size without any data being returned in value.

Arguments

  • fd:int - File descriptor associated with an open file.
  • name:const char* - Name of the extended attribute.
  • value:void*[U] - Pointer to the buffer that will be filled with the attribute value.
  • size:size_t - Size of the buffer in bytes.

Available Tags

  • U - Originated from user space.

Hooks

do_fgetxattr

Type

Kprobes

Purpose

To spy on calls to the underlying do_fgetxattr kernel function and capture information about arguments and return values.

Example Use Case

Monitoring and auditing of programs that use fgetxattr() to retrieve extended attributes.

Issues

The value argument must point to a buffer in user space.

  • fsetxattr - Set a extended attribute value in a file or directory
  • flistxattr - List extended attribute keys and associated values

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.