Skip to content

getdents

Intro

getdents - Reads directory entries from a file descriptor

Description

getdents() system call is used to read directory entries from an open file descriptor into a buffer. The entries are returned one after the other, and the entries contain information, such as the inode number, offset and type, of the entry. It is used by programs to read and parse directories in the filesystem.

One of the advantages of using getdents() is that it is an efficient way to read directory entries without requiring the overhead of opendir() and readdir() system calls required for looking up a particular directory entry. On the other hand, one of the drawbacks is that getdents() does not guarantee that the file descriptor provided is a directory.

Arguments

  • fd: int - File descriptor from which to read the entries.
  • dirp: struct linux_dirent* - Pointer to buffer of size count for the results.
  • count: unsigned int - Number of bytes of data that can be stored in dirp.

Available Tags

N/A

Hooks

sys_getdents

Type

Tracepoint

Purpose

To trace directory entries read from a file descriptor.

Example Use Case

This event can be used to trace files and directories read by a process. This can be used to aid debugging as you can easily trace a program’s file access operations to find out if it is reading unexpected files or directories.

Issues

The count argument must be large enough to accommodate the data returned. Due to a kernel limitation, the maximum size of one struct linux_dirent is 2044 bytes. If the count argument is smaller than that, the syscall can read more data than the count argument allows, potentially leading to a buffer overflow.

  • open() - Reads directory entries from a file descriptor.
  • readdir() - Reads directory entries.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.