Skip to content



lgetxattr - Get the value of an extended attribute for a given file.


lgetxattr returns the value of an extended attribute associated with the given file to the variable pointed to by value. The size of the extended attribute should be no more than size, and will be stored in the variable pointed to by size. Extended attributes are associated with a file, directory, or other filesystem object, and are extensions to the normal attributes associated with every filesystem object, such as its size or permissions.

Due to kernel implementation details and filesystem limitations, detailed information about extended attributes may not be available until lgetxattr returns. In such cases, the size returned in size may not properly reflect the size of the extended attribute, meaning that the value returned in value may not be the whole of what is expected. Additionally, extended attribute values may include special values and certain filesystem attributes that may require additional processing prior to use. If the actual size of the extended attribute exceeds the specified size, the value contained in value will be truncated and only the first size bytes will be returned in value.


  • path:const char*[K] - Path of the file whose attribute is to be retrieved.
  • name:const char*[K] - Name of the attribute being retrieved.
  • value:void*[K U] - Pointer to user-space address that will store the attribute value.
  • size:size_t[K U] - Size of the buffer pointed to by *value.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobe + Kretprobe


To retrieve the extended attribute value for a given file.

Example Use Case

lgetxattr could be used to retrieve xattrs (including security labels) from files, to enable security audits, tracing or other requirements such as mandatory access control.


Due to its nature, lgetxattr can potentially be subject to TOCTOU (time of check, time of use) race condition attacks. Care should be taken to ensure that the requested attribute is consistent between syscall entry and exit.

sys_getxattr, sys_listxattr, sys_fgetxattr, sys_setxattr, sys_fsetxattr

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.