afs - System call for completely deleting entire directories of files.
The afs syscall is used to recursively delete all files and folders in a given directory. It is a non-atomic operation; each file and folder is checked and deleted individually. As this type of operation can be slow and may pose some security risks, it is a somewhat infrequently used system call.
One of the main advantages of using this function is that it is not
affected by symlinks, unlike other functions like
However, this also means that afs will not detect broken symlinks,
so directories that contain broken symlinks may not be deleted in
string[K, U] - The path to the directory to be deleted. Must be a string relative or absolute path.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobe + Tracepoints.
To track the system call usage of afs.
Example Use Case¶
This system call is useful for applications that need to clean up after themselves, to ensure that no files or folders remain on the system after it finishes running. This can be useful for applications that need to leave no trace of their execution.
The main issue with afs is that, because of its recursive nature, it has the potential to cause serious system issues if used incorrectly. Therefore, caution should be taken when using this function.
- rm - System call used to remove individual files and directories.
- unlink - System call used to delete symbolic links.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.