fspick¶
Intro¶
fspick - Select/open/unlink files in Linux systems.
Description¶
fspick is used to open/select or unlink files from the file system. It is usually used to verify if a particular file exists in a certain directory. The flags parameter can be used to control how to open the file and if it should be opened exclusively.
The pathname is supplied either as an absolute path or relative to an open file pointer pointed by dirfd. The value can be obtained from one of the open/creat syscalls. Thus, if the dirfd parameter is set to AT_FDCWD, the pathname should be an absolute path.
Arguments¶
dirfd:int[K] - File descriptor to the directory from whichpathnamewill be evaluated. If the value is set toAT_FDCWD,pathnameshould be an absolute path.pathname:const char*[K] - The target filename or directory to open.flags:unsigned int[K] - Flags defining whether or not the file should be opened in an exclusive mode, or just for reading and writing.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_fspick¶
Type¶
Kprobes
Purpose¶
Monitoring of incoming and outgoing calls to the fspick syscall.
Example Use Case¶
Using the fspick syscall to verify if a particular file exists in a certain directory before attempting to open it.
Issues¶
None known.
Related Events¶
open, access, stat, lstat, utimensat.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.