Skip to content

fsconfig

Intro

fsconfig - system call allowing to assign configurations to filesystem types

Description

The fsconfig system call allows to assign configurations, expressed as a key-value pair, to the filesystem type (defined by the passed fs_fd).

It is used as an extensible interface for programs and libraries to define, query and update configuration parameters.

The same key might occur multiple times (path, then tag or namespace) so the fsconfig system call requires the passing of an auxiliary argument, the aux argument, to provide context.

Arguments

  • fs_fd:int* - Pointer to a file descriptor pointing to the filesystem.
  • cmd:unsigned int - Command requesting a specific operation. It should be one of the FSCONFIG_CMD_* definitions defined in the include/uapi/linux/fsconfig.h - include/uapi/linux/fsconfig.h.
  • key:const char* - Null-terminated key string whose format depends on the specific FS and context. Its length must not exceed FSCONFIG_MAX_NAME.
  • value:const void* - Pointer to a memory area containing the value for the configuration. Its length must not exceed FSCONFIG_MAX_VALUE.
  • aux:int - Auxiliary data used to provide context for the configuration (path, tag or namespace). Its length must not exceed FSCONFIG_MAX_AUX.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it).

Hooks

fsconfig

Type

Kprobe

Purpose

To expose the data of the syscall request, the return code and the response value.

Example Use Case

fsconfig can be used to query and set configuration parameters on a filesystem. One example is setting access control lists on a filesystem in order to provide additional security measures.

Issues

fsconfig is vulnerable to TOCTOU (Time of Check, Time of Use) attacks as its arguments are not checked on entry point and various events might have happened between the check and the use.

  • fstatfs: get filesystem status.
  • fscache: query the configuration from the filesystem cache.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.