Skip to content



removexattr() - removes the extended attribute to the file system object


The removexattr() system call removes an extended attribute associated with the given file system object path. It is used to control access to file system objects. It removes only one attribute per invocation, which is specified by the given name argument.

Are there any edge-cases, drawbacks or advantages of using it?

The main drawback of using removexattr() is that it does not provide any mechanism for setting a default value for an attribute. Additionally, it does not support any type of transactional behavior.


  • path:const char*[K] - The path name of the file system object.
  • name:const char*[K] - The name of the extended attribute to remove.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobes + Kretprobes


To capture information related to the invocation of the removexattr() system call, including the arguments and return value, for tracing and performance analysis.

Example Use Case

An example use case for this event is for security-related purposes. It can be used to monitor for suspicious activity, such as the removal of extended attributes from a file system object.


No known issues.

  • setxattr
  • getxattr
  • listxattr

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.