Skip to content

flistxattr

Intro

flistxattr - get a list of extented attributes of the file associated with a given file descriptor

Description

The flistxattr system call is used to get the list of extended attribute names associated with a given file descriptor. It returns a buffer containing a list of the names of all of the extended attributes associated with the file, with each name separated by a null byte ('\0'). The size of the buffer is specified in the argument size. If the size is not large enough, -1 is returned and errno is set to ERANGE.

This system call is different from listxattr in the sense that instead of giving the path of the file in question, it receives its file descriptor, which means flistxattr only get the list of attributes of the exact file associated with the given descriptors, whereas listxattr can get the list of attributes of any file given its path.

Arguments

  • fd:int[K] - file descriptor of the target file, from which the extended attributes should be listed.
  • list:char*[U] - pointer to user-space memory, which will be filled with the list of extended attributes associated with fd.
  • size:size_t[K] - size of the list buffer. If not large enough to hold the list of all extended attributes associated with fd, the call fails with error set to ERANGE.

Hooks

do_flistxattr

Type

Kprobe + Kretprobe

Purpose

Monitor and log calls to flistxattr, as well as their return values, for debugging and security purposes.

Example Use Case

The flistxattr system call can be used as part of a larger application to get a list of all of the extended attributes associated with a file before attempting to access any of them. This can be especially useful for preventing potential Time-Of-Check To Time-Of-Use (TOCTOU) race conditions.

Issues

None.

  • listxattr - get the list of extended attributes associated with the file given the path

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.