accept4 - a system call for accepting incoming connections on a listening socket
accept4 system call is used by a server process to accept incoming connections on a listening socket. It is a variant of the
accept system call which has an additional parameter
flags, which can be used to control how the connection is created. For example, the
SOCK_NONBLOCK flag can be used to ensure that the connection is created in non-blocking mode, to avoid blocking the server process in the event of no available clients. Further flags can also be used to control whether the socket is granted exclusive access to the address, and whether credentials are passed with the connection (using the
sockfd parameter is a file descriptor for the listening socket. The
addrlen parameters point to a
sockaddr structure and an
int respectively, and are used to store information about the client connection. Once accepted, the address and length of the connection are copied to these structures. The
flags parameter is used to control the type of socket that is created, as described above.
int[K] - the file descriptor of the listening socket.
struct sockaddr*[K,U] - pointer to
sockaddrto store the details of the connection.
int*[K,U] - pointer to an integer to store the length of the
struct sockaddrassociated with the connection.
int[K] - flags to control the type of socket that is created (e.g.
SOCK_NONBLOCK), passed as a bitmask.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Tracepoint + Kprobe
To monitor the flags parameter of the accept4 syscall
Example Use Case¶
An example use case would be a web server that needs to listen for incoming connections, but doesn't want to block waiting for them. By using the
SOCK_NONBLOCK flag, the server process can instruct the kernel to create the socket in non-blocking mode and return immediately, even if there are no connections available.
One potential issue is with the use of TOCTOU (Time-of-Check-Time-of-Use) attacks. These can occur when the flags parameter is passed with a value that changes between the time of check and the time of use. Therefore, care should be taken to ensure that the parameter is locked before the syscall is invoked.
bind- used to bind the sockets to an address
listen- used to begin listening for incoming connections
select- used to wait for incoming connections in non-blocking mode
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.