fgetxattr - get a extended attribute value in a file or directory
fgetxattr() function retrieves the value of the extended attribute specified by name and associated with the file fd for the size of size bytes and places the result in value.
The name argument points to a null-terminated string. The fd argument is a file descriptor associated with an open file. The value argument is a pointer to a buffer that is at least size bytes in length. The size argument specifies the size of the buffer in bytes. Thus, if value points to a buffer that is too small a buffer to hold the value of the requested attribute, the size of the attribute is returned in size and no data is returned in value.
There are several noteworthy edge cases with
fgetxattr() will not follow symbolic links. Second, when used on relative paths, the path will be interpreted relative to the directory indicated by the fd argument. Lastly, if the value argument is NULL or the size argument is 0, then the size of the attribute will be returned in size without any data being returned in value.
int- File descriptor associated with an open file.
const char*- Name of the extended attribute.
void*[U] - Pointer to the buffer that will be filled with the attribute value.
size_t- Size of the buffer in bytes.
- U - Originated from user space.
To spy on calls to the underlying
do_fgetxattr kernel function and capture information about arguments and return values.
Example Use Case¶
Monitoring and auditing of programs that use
fgetxattr() to retrieve extended attributes.
The value argument must point to a buffer in user space.
- fsetxattr - Set a extended attribute value in a file or directory
- flistxattr - List extended attribute keys and associated values
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.