Skip to content

linkat

Intro

linkat - create a link to a file or directory

Description

The linkat system call creates a new link to an existing file or directory, with the pathname specified by oldpath and newpath. This can be used to create hard links across different file systems, and is especially useful when multiple copies of a file are present in different directories. The flags argument can be used to control the behavior of linkat with regard to symlinks, directory structure, and other aspects of the call.

Arguments

  • olddirfd:int[K] - file descriptor for the old directory. If AT_EMPTY_PATH, interpret oldpath relative to the current working directory.
  • oldpath:const char*[U] - path to the existing file or directory to link from. Must be a relative or absolute path.
  • newdirfd:int[K] - file descriptor for the new directory. If AT_EMPTY_PATH, interpret newpath relative to the current working directory.
  • newpath:const char*[U] - path to the existing file or directory to link to. Must be a relative or absolute path.
  • flags:unsigned int[K] - control behavior of linkat. Flag values may include AT_DONTFORK, AT_FOLLOW, AT_SYMLINK_FOLLOW, and AT_EMPTY_PATH. If a negative flag value is passed, then the flags parameter is ignored.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_linkat

Type

kprobe

Purpose

To trace the system call linkat

Example Use Case

To monitor a system running multiple different file systems and identify links being created between them.

Issues

If AT_EMPTY_PATH is used to pass the oldpath or newpath argument, the path name is resolved with the current working directory. If a process changes its working directory, the result may differ from the result from the previous call, so this could be a security issue.

  • renameat
  • symlinkat
  • unlinkat

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.