lremovexattr¶
Intro¶
lremovexattr - remove an extended attribute from a file or directory.
Description¶
The lremovexattr() system call removes the extended attribute specified by name
from the file specified by path
. Extended attributes are metadata associated with a file or directory, which may include things such as access control lists, security labels, and file system capabilities. If the path
argument refers to a symbolic link, the attributes of the symbolic link itself are modified, rather than the attributes of the file or directory referenced by the symbolic link.
Arguments¶
path
:const char*
[K] - Path to the file or directory.name
:const char*
[K] - Name of the attribute to be removed.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_removexattr¶
Type¶
kprobe + kretprobe
Purpose¶
To detect calls and returns of the lremovexattr() syscall.
Example Use Case¶
An application might use lremovexattr() to remove extended attributes such as an ACL from a file or directory.
Issues¶
The lremovexattr() system call is not supported on many systems.
Related Events¶
- lgetxattr
- llistxattr
- lsetxattr
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.