Skip to content

fremovexattr

Intro

fremovexattr - an event that allows getting or removing an extended attribute associated with a file

Description

The fremovexattr event is used to remove an extended attribute associated with a file specified by the file descriptor. This event allows for the removal of an attribute from any filetype, including regular files and directories. This event does not traverse through directories in order to remove extended attributes from subdirectories. Additionally, this event can also be used to securely delete files as it allows for file data blocks to be marked as deleted in the filesystem, thus preventing their recovery.

The fremovexattr event takes two parameters: the filedescriptor of the file for which the attribute is being removed (fd) and the name of the extended attribute (name). This event does not return any information to the user and will return an error if the attribute was not found or if the user does not have the correct priviledges.

Arguments

  • fd: int[K] - A valid file descriptor of the file whose extended attribute should be removed.
  • name: const char*[K, U, TOCTOU] - Specifies the extended attribute to be removed.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

fremovexattr

Type

Tracepoint.

Purpose

Hook this function in order to detect the attempted removal of an extended attribute associated with a file.

Example Use Case

fremovexattr can be used to detect privilege escalation attempts, as an attacker might try to change the extended attributes of files in order to gain access to confidential data. This event can also be used to detect a malicious user attempting to delete a sensitive file.

Issues

Because of the TOCTOU vulnerability of this event, if an attacker manages to access the same file descriptor before the event is called, it may be possible for the argument value to change in between the time of check and the time of use.

  • fgetxattr
  • fsetxattr

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.