llistxattr¶
Intro¶
llistxattr - get extended attribute names for a file
Description¶
The llistxattr
syscall is used to retrieve the list of names of extended attributes associated with the specified file path. The names are stored as a NULL-terminated array of strings in the buffer pointed to by list
. The buffer should have a size of size
bytes. The size can be found by calling fgetxattr
on the file with a NULL buffer. If the list size exceeds size
, then ERANGE
is returned, and a higher size should be used.
Arguments¶
path
:const char*
[K] - path to the file or directorylist
:char*
[K,U] - buffer used to transfer attribute namessize
:size_t
[K] - size of buffer for attribute list
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_listxattr¶
Type¶
Kprobes and Uprobe.
Purpose¶
Capturing attempts to retrieve a list of extended attributes associated with a file.
Example Use Case¶
A monitoring app is monitoring and securing user data to determine if a user is engaging in a forbidden behavior. The app uses the llistxattr
syscall to determine what extended attributes are associated with the user files.
Issues¶
This syscall may be vulnerable to TOCTOU (time-of-check-time-of-use) race conditions.
Related Events¶
fgetxattr
- get the value of a single extended attribute for a filelgetxattr
- get the value of an extended attribute for a filesetxattr
- set an extended attribute for a filelsetxattr
- set an extended attribute for a file relative to a directoryremovexattr
- remove an extended attribute for a file or directory
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.