fsetxattr - Set an extended attribute for a file
fsetxattr() system call sets an extended attribute for the given file system object relative to the open file descriptor
fd. The open file descriptor
fd is used to reference the object which should have the attribute set.
flags argument determines how the attribute is set. Attributes are creation, security, scalability and installation related informations.
Advantages of using
fsetxattr() is that it provides more control than
setxattr(), which is an analogous system call, that is used to affect the objects inside a file system.
int[K] - File descriptor. The file descriptor should reference a regular file.
const char*[K] - Name of the attribute.
const void*[K U] - Pointer to the supplied value. Its format is determined by the implementation.
size_t[K] - Size of the value referenced in the
int[K] - Flags designating how the attribute should be set.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To monitor the execution of
fsetxattr() system call.
Example Use Case¶
This event could be used to monitor the setting of custom attributes on files through the
fsetxattr() system call. This is useful for implementing metadata management, security policies or system customization features.
flags argument is not being checked, an attacker could set an extended attribute for a file that it shouldn't have access to.
fgetxattr- Get an extended attribute from a file
setxattr- Set an extended attribute to a file
removexattr- Remove an extended attribute from a file
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.