oldlstat¶

Intro¶

oldlstat - stat the file pointed to by pathname

Description¶

oldlstat is used to return the status information about the file pointed to by the pathname argument. It return similar information as lstat, except if pathname is a symbolic link, it will return information about the link itself. Additionally, it will update the return value in statbuf, which is a pointer to struct stat.

This event is useful to be used in programs that need to retrieve information about a file, but it is vulnerable to Time Of Check, Time of Use (TOCTOU) race condition.

Arguments¶

pathname:const char*[K, U] - pointer to the pathname of the file for which status information will be returned.
statbuf:struct stat*[K] - pointer to a structure of type struct stat into which information should be stored.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

sys_oldlstat¶

Type¶

Kprobes

Purpose¶

The event is hooked with kprobes in order to observe and trace the syscall arguments and return value.

Example Use Case¶

This event can be used, for example, in an application to monitor file changes in the system.

Issues¶

Due to the fact that this syscall is vulnerable to TOCTOU race condition, a malicious user could try to bypass the monitoring being done with this event, by changing the file parameters in between the time that it was checked and used.

lstat - similar event used to get information about files. Does not have the TOCTOU vulnerability.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.