utimensat_time32¶
Intro¶
utimensat_time32 - Change the timestamps of a file with nanosecond precision using a relative or an absolute 30-bit timestamp
Description¶
The utimensat_time32 system call changes the timestamps of a file, similar to the utime system call. It is part of the Advanced Linux Programming Interface (ALP) and offers an improved timestamp range and higher precision of file time handling compared to its predecessor. It supports nanosecond resolution on 32-bit architectures inside the old_timespec32 structure which can be used to specify an absolute or relative timestamp.
The flags parameter can be used to indicate if the t parameter should be used as an absolute (0) or relative (UTIME_NOW, UTIME_OMIT) timestamp for the file. If the AT_SYMLINK_NOFOLLOW flag is passed, the system call does not follow symbolic links, but fails when the specified file is a symbolic link.
Are there any edge-cases, drawbacks or advantages of using it? Due to its use of the old_timespec32 structure, utimensat_time32 can only specify a time in a range of ~1902 to 2038. As such, it is not suitable for applications needing a more flexible timestamp range.
Arguments¶
dfd
:unsigned int
[K] - The file descriptor of the directory containing the file whose timestamps should be changed. A value of AT_FDCWD can be used to indicate the current working directory.filename
:char*
[U] - Pointer to the name of the file whose timestamps should be changed.t
:struct old_timespec32*
[U] - Pointer to the timespec structure containing the desired new timestamp for last access and modification time.flags
:int
[K] - Flags controlling the behavior of the system call. Can be used to indicate if timestamp should be set relatively (UTIME_NOW) or absolutely (0).
Available Tags¶
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Hooks¶
sys_utimensat_time32¶
Type¶
Kprobe.
Purpose¶
Locate applications making syscalls to utimensat_time32 and analyze their parameters.
Example Use Case¶
A system administrator could use this event to monitor writes to important files or directories and log whenever their timestamps are changed by any user or process.
Issues¶
Due to the limited range of timespec values (1902-2038), utimensat_time32 is not suitable for applications needing more flexible timestamp handling.
Related Events¶
utimensat, utimensat_time64
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.