Skip to content



setxattr - Set extended attributes on regular, special, and symbolic link files


The setxattr() system call sets the extended attributes associated with the file path to the name, value and size pointed to by the arguments name, value and size, respectively. The flags argument is a bitwise-or of flags that let the application control how the extended attribute is created.

If the name is except for existing attributes and the size of the attribute is larger than the existing attribute, the existing value is overwritten. If the attribute does not exist on the file and the size of the attribute is 0, a new attribute is created.

The flags argument can be used to control how the extended attribute is created, or if it should fail if the extended attribute already exists. The flags value should be set to 0 to create a new attribute, or the value XATTR_CREATE to ensure that the attribute is newly created and will fail with an EEXIST error if it already exists.


  • path:const char*[K] - The full path to the file to set the extended attribute.
  • name:const char*[U] - The name of the extended attribute to set.
  • value:const void*[U] - The value to set the extended attribute to.
  • size:size_t[U] - The size in bytes of the value.
  • flags:int[U] - Bitwise-or of flags that let the application control how the extended attribute is created.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)






Inspect execution of the setxattr system call.

Example Use Case

setxattr can be used to set extended attributes on a regular file, special file, or symbolic link. These attributes can be used to store arbitrary information associated with the file, such as data needed to validate a cryptographic signature or provide access control information.


setxattr is vulnerable to TOCTOU (time of check, time of use) attack.

  • getxattr - Get extended attributes associated with a file
  • listxattr - Return lists of extended attributes for a file

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.