fstat - get file status
The fstat() system call obtains information about an open file based upon the file descriptor fd argument. The information is stored in the stat buffer pointed to by statbuf—which is of type struct stat, defined in
One advantage of fstat() is that it does not require opening the file prior to obtaining information about it. This can be useful for supporting access control, logging file accesses, etc. It has some potential downfalls, including the fact that a file can be removed from the system by the time the fstat() function is executed, making it vulnerable to a Time of Check, Time of Use (TOCTOU) race condition attack.
int[K] - File descriptor provided when the file was opened.
struct stat*[KU] - Pointer to a struct stat that will have the information about the file.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
kprobe + uprobe.
Hook the fstat() syscall entry point to get start latency and count how many times the syscall was called.
Example Use Case¶
For example, an application may use fstat() to determine whether or not a file is a directory. This can be useful for implementing access control mechanisms or logging accesses to files.
Due to fstat() not requiring a file to be opened before calling the function, hense not locking it, it is vulnerable to TOCTOU race condition attacks.
close, open, stat.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.