Skip to content

ustat

Intro

ustat - determine file system information associated with a mounted file system.

Description

The ustat system call is used to retrieve information about the mounted file system containing the directory whose file descriptor is passed in. This information describes the amount of blocks and file nodes associated with that file system, as well as the size of each. Depending on the flags passed, some of this information might be obtained from the filesystem itself, or from the system buffer cache.

When used in conjunction with the parse-arguments flag, the device argument is used to specify the exact file system from which to obtain the information. This is useful in cases where multiple file systems are present over the same device.

Arguments

  • dev:dev_t[K] - device containing the file system
  • ubuf:struct ustat*[U] - pointer to a buffer in user space used to write the information obtained

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)

Hooks

sys_ustat

Type

kprobe

Purpose

The purpose of this hook is to evaluate the arguments associated with the ustat system call, before its execution.

Example Use Case

A file system event monitor application could use the ustat call to return the information related to a given file system, such as the blocks and file nodes associated with it.

Issues

None.

  • statfs - get file system information.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.