Skip to content

faccessat2

Intro

faccessat2 - check user's permissions for a file

Description

faccessat2 is a system call that checks a given file's permission for the current user. It works by reading the permission bits of the file, then comparing those bits with the given mode. If the user has the requisite permission, the call succeeds; if not, the call fails with an error code.

One limitation is that faccessat2 works only on regular files - it is not able to make these checks on other kinds of objects such as devices, directories, UNIX sockets and so on. Additionally, the call is affected by Time-of-check/Time-of-use (TOCTOU) race conditions, thus extra care needs to be taken to ensure safety.

Arguments

  • fd:int[K] - File descriptor from which the name of the file is to be read.
  • path:const char*[K,U] - Relative or absolute pathname for the file.
  • mode:int[K] - The mode to be checked for the given file descriptor and path.
  • flag:int[K,OPT] - Optional flags passed to the system call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

faccessat2

Type

Kprobe.

Purpose

To monitor the faccessat2 syscall and keep track of the results of permission checks on files.

Example Use Case

This syscall can be used to solve the problem of unauthorized users trying to access files that they should not be able to access. Using the syscall one can check for the existence of files and their permission at the same time and in an atomic operation.

Issues

There is a TOCTOU race condition, since between the time that the permission check is done and the time of use, the permission may have changed. Additionally, faccessat2 will only work with regular files and not with other types such as directory, devices, etc.

  • stat
  • fstat
  • fstatat

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.