Skip to content

oldfstat

Intro

oldfstat - use this function to get information about an open file

Description

The oldfstat function is used to get information about an open file. This function is similar to fstat() which is used to get information about a file that is referred to by a file descriptor. oldfstat() is available on all UNIX-like systems for backwards compatibility and features a similar set of information about the open file. The main difference is that the user does not need to provide the file descriptor, instead of this it takes a file handle. If a process has permission to the file then the information will be used.

Arguments

  • fildes:int[K-U] - an open file descriptor of the object to be stat'ed.
  • buf:stat*[K] - a pointer to a stat structure in which information is stored.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it).
  • OPT - Optional argument - might not always be available (passed with null value).

Hooks

sys_oldfstat

Type

Kprobes

Purpose

To track function calls and extract data from arguments to understand the behavior of a program.

Example Use Case

This event can be used to monitor and collect information over time about the files used by a process. It can also be used to audit system programs' behaviors when we are suspicious about their access to the file.

Issues

The oldfstat() does not support file descriptors greater than (USHRT_MAX + 1) and therefore, cannot be reliable for such system calls.

  • fstat - Similarly used to get information about a file, but takes a file descriptor as an argument.
  • lstat - Used to get information about a file from a symbolic link path.
  • fstatat - Used to get information about a file and takes a directory file descriptor as an argument.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.