fspick - Select/open/unlink files in Linux systems.
fspick is used to open/select or unlink files from the file system. It is usually used to verify if a particular file exists in a certain directory. The
flags parameter can be used to control how to open the file and if it should be opened exclusively.
pathname is supplied either as an absolute path or relative to an open file pointer pointed by
dirfd. The value can be obtained from one of the
creat syscalls. Thus, if the
dirfd parameter is set to
pathname should be an absolute path.
int[K] - File descriptor to the directory from which
pathnamewill be evaluated. If the value is set to
pathnameshould be an absolute path.
const char*[K] - The target filename or directory to open.
unsigned int[K] - Flags defining whether or not the file should be opened in an exclusive mode, or just for reading and writing.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Monitoring of incoming and outgoing calls to the
Example Use Case¶
fspick syscall to verify if a particular file exists in a certain directory before attempting to open it.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.