Skip to content

fsopen

Intro

fsopen - opens an existing filesystem for use with an allocated file descriptor.

Description

The fsopen system call opens an existing filesystem for use with an allocated file descriptor. The file descriptor will provide access to the filesystem, and may be used with other system calls such as fsread, fswrite, and fstat. The filesystem must be specified by its name, which is given in the argument fsname. A set of flags, given in the argument flags, can be used to modify the behaviour of the fsopen system call.

There are several potential scenarios and edge-cases in using the fsopen system call. In particular, the system call is vulnerable to TOCTOU (time-of-check-time-of-use) attacks, where the file or filesystem may have been changed between the time it was checked for existence and the time the fsopen system call is actually made. Additionally, the flags argument may not be available in some cases, in which case the call will be invoked with a value of 0.

Arguments

  • fsname:const char*[KU] - name of the filesystem that is to be opened.
  • flags:unsigned int[K] - flags that modify the behaviour of the open system call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_fsopen

Type

Kprobe

Purpose

To trace entry point for fsopen system call.

Example Use Case

The fsopen system call can be used to open an existing filesystem for access and, with other system calls such as fsread, fswrite, and fstat, allow programs to interact with the filesystem. For example, a program may read and write to files on the filesystem.

Issues

The fsopen system call is vulnerable to TOCTOU attacks, where the file or filesystem may have been changed between the time it was checked for existence and the time the fsopen system call is actually made. Additionally, the flags argument may not be available in some cases, in which case the call will be invoked with a value of 0.

  • fsread
  • fswrite
  • fstat

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.