Skip to content



lremovexattr - remove an extended attribute from a file or directory.


The lremovexattr() system call removes the extended attribute specified by name from the file specified by path. Extended attributes are metadata associated with a file or directory, which may include things such as access control lists, security labels, and file system capabilities. If the path argument refers to a symbolic link, the attributes of the symbolic link itself are modified, rather than the attributes of the file or directory referenced by the symbolic link.


  • path : const char* [K] - Path to the file or directory.
  • name : const char* [K] - Name of the attribute to be removed.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




kprobe + kretprobe


To detect calls and returns of the lremovexattr() syscall.

Example Use Case

An application might use lremovexattr() to remove extended attributes such as an ACL from a file or directory.


The lremovexattr() system call is not supported on many systems.

  • lgetxattr
  • llistxattr
  • lsetxattr

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.