faccessat - Tests the accessibility of the file or directory referred to by file descriptor
faccessat function checks whether the current user can access the file referred to by the file descriptor
pathname. It checks for the type of access indicated by
mode, which is either F_OK (file existence check), R_OK (read permission check), W_OK (write permission check), or X_OK (execute permission check). The
flags argument allows additional enhancements to the permission check. If
pathname is an empty string,
faccessat will check for the same permission in the directory referred to by
This function is useful when you want to check permissions of a file before opening it, in order to avoid any security issues related to time-of-check to time-of-use (TOCTOU) vulnerabilities.
dirfd: int- File descriptor of the directory containing the file to be checked
pathname: const char*- Relative or absolute pathname of the file to be checked
mode: int- Type of access to be checked, can be one of:
- F_OK - Permission existence check.
- R_OK - read permission check.
- W_OK - write permission check.
- X_OK - execute permission check.
flags: int[U,OPT] - Allows additional enhancements to the permission check. Currently only 0 and AT_EACCESS are supported.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobes + Kretprobes
To capture syscalls made by processes and any errors that occur.
Example Use Case¶
One possible use case is to monitor user account permissions. This could be particularly useful for security monitoring of users and applications by using the
faccessat syscall to check for allowed or denied access to files.
There are potential TOCTOU (Time-of-check to Time-of-use) vulnerabilities associated with
faccessat, as the permission check done by the syscall is not atomic, i.e. it can lead to inconsistent results because if permission is granted when checked, but then has changed to denied before the file is actually used, then the permission check may not be reliable.
openat: Used for opening files, and may be used in conjunction with
faccessatto safely open files.
stat: Used for getting information about files, and can be useful to check for permission changes between checks done by the
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.