Skip to content

lstat64

Intro

lstat64 - Retrieve information about a file

Description

The lstat64() system call is used to retrieve information about a file or symbolic link stored in the file system. The information returned by lstat64() is similar to that returned by stat64(), but lstat64() does not follow symbolic links. The lstat64() system call is useful if the application needs to check the file type of a symbolic link, or if the target of the link might be a directory.

The lstat64() system call is also useful for finding out whether the file is a regular file, a symbolic link, a directory, a char special device, a block special device, a named pipe, a socket, or an executable image.

The lstat64() system call is part of the Base Specifications Issue 6 (SUSv6) and conforms to IEEE Std 1003.1-2008 (POSIX.1).

Arguments

  • pathname: const char*[K] - File or directory path.
  • statbuf: struct stat64*[U] - Pointer to the given structure, containing information about the file.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

fmode_create

Type

Kprobes

Purpose

To detect when the lstat64 system call is invoked.

Example Use Case

A file integrity monitoring system or a logging system that needs to keep track of information about the files present in the system can use the lstat64 system call to retrieve information about a given file.

Issues

The lstat64 system call is vulnerable to TOCTOU (Time of check, time of use) race condition, where the state of the file can change between the moment it was checked and the moment the system call is executed.

  • stat64
  • fstatat64
  • fstat64

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.