llistxattr¶

Intro¶

llistxattr - get extended attribute names for a file

Description¶

The llistxattr syscall is used to retrieve the list of names of extended attributes associated with the specified file path. The names are stored as a NULL-terminated array of strings in the buffer pointed to by list. The buffer should have a size of size bytes. The size can be found by calling fgetxattr on the file with a NULL buffer. If the list size exceeds size, then ERANGE is returned, and a higher size should be used.

Arguments¶

path:const char*[K] - path to the file or directory
list:char*[K,U] - buffer used to transfer attribute names
size:size_t[K] - size of buffer for attribute list

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

sys_listxattr¶

Type¶

Kprobes and Uprobe.

Purpose¶

Capturing attempts to retrieve a list of extended attributes associated with a file.

Example Use Case¶

A monitoring app is monitoring and securing user data to determine if a user is engaging in a forbidden behavior. The app uses the llistxattr syscall to determine what extended attributes are associated with the user files.

Issues¶

This syscall may be vulnerable to TOCTOU (time-of-check-time-of-use) race conditions.

fgetxattr - get the value of a single extended attribute for a file
lgetxattr - get the value of an extended attribute for a file
setxattr - set an extended attribute for a file
lsetxattr - set an extended attribute for a file relative to a directory
removexattr - remove an extended attribute for a file or directory

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.