Skip to content

fstatfs64

Intro

fstatfs64 - get information about a mounted file system

Description

The fstatfs64() system call is used to get file system statistics about a mounted file system. It is similar to the statfs() system call, but it uses a struct statfs64 for the buffer argument. Since file systems can have large size values up to 8 bytes, this system call also allows for 8-byte aligned struct statfs64 arguments.

The fstatfs64() system call can be used to obtain information about mounted block devices or image files, and the returned information includes the mounted location, file system type, number of free blocks and free inodes, the block size, and the optimal transfer size.

Arguments

  • fd:int[U] - file descriptor of a mounted file system
  • sz:size_t[K] - size of the struct statfs64 which stores the information about the given file system
  • buf:struct statfs64*[U TOCTOU] - pointer to an allocated struct statfs64 where the file system information will be stored

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

sys_fstatfs64

Type

Kprobe + Kretprobe

Purpose

The purpose of the sys_fstatfs64 hooks is to monitor the use of this system call by user processes.

mount_fs

Type

Kprobe

Purpose

The purpose of the mount_fs hook is to monitor when a filesystem is mounted or unmounted.

Example Use Case

Using the fstatfs64 system call it is possible to get information about all mounted file systems. This information can be used to generate reports about system state or can be used to compare different mounts for various reasons.

Issues

Since fstatfs64 uses a time of check to time of use technique, that means that the information might become outdated during the process. When this system call is used, it is important to consider if this type of race condition can occur and how it affects the application logic.

  • statfs - similar system call but uses a struct statfs argument instead.
  • getdents64 - get directory entries in a directory
  • open - open a file or directory

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.