getdents64¶

Intro¶

getdents64 - get directory entries from a file descriptor

Description¶

The getdents64() system call is used to read the contents of an open directory into a buffer. It gives the caller access to an array of the directory entries each containing information about a single file or subdirectory. This system call is often used in conjunction with opendir() to allow an application to walk a directory tree structure.

One drawback of getdents64 is that data it returns is big-endian, while some architectures are little-endian. This can be circumvented by using the non-standard readdir64() function, which returns data in little-endian format.

Arguments¶

fd:unsigned int[K] - file descriptor of an open directory.
dirp:struct linux_dirent64*[KU] - pointer to a buffer where the results are written.
count:unsigned int[K] - size of the buffer pointed by dirp.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)

Hooks¶

SYS_getdents64¶

Type¶

Kprobe + Kretprobe

Purpose¶

Produce extra information about the file and directory entries read from the directory.

Example Use Case¶

The getdents64 system call can be used, for example, to list the files and sub-directories inside a given directory, in order to search for a specific file.

Issues¶

Due to the way getdents64 is implemented, it can not be used as a generic directory iteration mechanism, since it is affected by the directory structure, which can vary across filesystems.

The related events to getdents64 are open(), close(), readdir64(), write_dirent64() and unlink().

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.