Skip to content

statfs64

Intro

statfs64 - obtain information about a mounted file system.

Description

The statfs64 system call obtains information about a mounted file system on the Linux operating system. It copies the file system parameters from the super block structure in the kernel memory to the user land structure struct statfs64 provided in the buf argument.

The size_t argument sz specifies the size of the provided buf structure, so that the kernel can decide which version of the struct will be used. No data will be copied in case the provided sz size doesn't match the size of the corresponding struct in the kernel.

Arguments

  • path:const char*[U] - path of the file system that should be queried.
  • sz:size_t[U] - this argument specifies the size of the buf argument, allowing the kernel to determine which version of the struct statfs64 will be used.
  • buf:struct statfs64*[U] - pointer to a user-space buffer, where the information collected from the kernel will be stored.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_statfs

Type

Kprobes + Uprobe

Purpose

Monitors This syscall, to collect information about the mounted file systems.

Example Use Case

It can be used to collect information on mounted file systems, such as available disk space, block size and total number of blocks.

Issues

The size_t parameter sz can cause issues if the user-space buffer size is not large enough for the corresponding struct size in the kernel.

  • mount()
  • umount2()

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.