Skip to content

statx

Intro

The statx syscall is used to get information about a filesystem object. It's similar to the stat syscall, but supports a more fine-grained mask argument which controls which fields are returned.

Description

statx allows to get information about various filesystem objects (like regular files, directories, links). Its main advantage over the stat syscall is the ability to specify a mask argument which controls which fields are returned in the struct statx pointer argument. This reduces the amount of system calls to retrieve multiple bits of information about a filesystem object, and makes the call more efficient.

In addition, statx supports some flags which modify the operation, like AT_NO_AUTOMOUNT which tell the system not to mount a filesystem automatically when necessary.

The statx syscall is part of the new libpfc library which simplifies common filesystem operation.

Arguments

  • dirfd:int - File descriptor for a directory from which the relative path is evaluated, or AT_FDCWD for the current working directory.
  • pathname:const char*[U] - Null-terminated pathname relative to the dirfd argument.
  • flags:int[K] - Flags which modify the operation. See the statx manual page for the available set of flags.
  • mask:unsigned int[K] - Bitmask field which defines what fields of the struct statx pointer argument to populate.
  • statxbuf:struct statx*[U] - Pointer to a struct statx which will be populated with the information from the filesystem object, according to the mask argument.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)

Hooks

do_sys_stat

Type

Kprobe

Purpose

To observe calls to the statx syscall, and get information about the arguments being passed.

Example Use Case

You can use statx to get information about a file in order to determine if it should be included in a tarball, like when making a backup or when creating an archive. By specifying the appropriate bitmask for the mask argument, you can retrieve only the necessary information.

Issues

The kernel does not support the FOLLOW flag, which enables the syscall to follow symbolic links. This limits the usefulness of the syscall when dealing with links.

  • stat - Syscall to get information about a filesystem object, which does not support a bitmask argument.
  • fstatat - Syscall to get information about a filesystem object given a file descriptor and a relative path.
  • openat - Syscall to open a file given a file descriptor and a relative path.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.