memfd_create¶
Intro¶
memfd_create - Creates an anonymous file and return a file descriptor associated with the file
Description¶
The memfd_create system call creates an anonymous file and return a file descriptor associated with the file. The file behaves like any other file and can be mmap'ed or used with any of the other file operations. Despite being anonymous it can also have a name associated with it, as long as no other file with the same name already exists. The main use case of this syscall is to create an interface to memory that behaves like a file and is able to pass through a certain set of filters, such as virus scanners.
Arguments¶
name
:const char*
[K] - The name of the file, can be null or a unique name.flags
:unsigned int
[K] - Flags specifying the behaviour of the file, such as size, permissions, etc.
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_memfd_create¶
Type¶
Kprobes
Purpose¶
To trace the syscall to memfd_create
Example Use Case¶
The memfd_create syscall can be used to create a lightweight anonymous file that can be passed through virus scanners, or other filters, to confirm the integrity of data that is to be passed through a certain system.
Issues¶
None
Related Events¶
None
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.