socketcall¶

Intro¶

socketcall - System call used to pass arguments of other socket calls

Description¶

The socketcall() system call is used to pass a set of arguments of other socket related system calls in a single system call. This is used in many architectures since it has the advantage of reducing the number of system calls made when performing multiple operations executing multiple syscalls. However, this can be a security concern.

Arguments¶

call: int - Specifies the actual call to perform, which should be one of the SOCKET_CMD constants.
args: unsigned long* - Pointer to a vector of arguments for the call, described in detail here.

Available Tags¶

K - Originated from kernel-space.
U - Originated from user space (for example, pointer to user space memory used to get it)
TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
OPT - Optional argument - might not always be available (passed with null value)

Hooks¶

do_socketcall¶

Type¶

KProbes

Purpose¶

This function is hooked to monitor and trace socket calls being executed.

Example Use Case¶

socketcall can be used to batch together multiple socket related system calls. This is useful when a program needs to perform a series of socket operations, such as connecting to a server, sending data, and then receiving data.

Issues¶

Due to the nature of this system call, it introduces a security concern as the parameters are not verified by the kernel and can lead to a TOCTOU vulnerability.

accept4
connect
getsockopt

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.