getdents - Reads directory entries from a file descriptor
getdents() system call is used to read directory entries from an open file descriptor into a buffer. The entries are returned one after the other, and the entries contain information, such as the inode number, offset and type, of the entry. It is used by programs to read and parse directories in the filesystem.
One of the advantages of using
getdents() is that it is an efficient way to read directory entries without requiring the overhead of
readdir() system calls required for looking up a particular directory entry. On the other hand, one of the drawbacks is that
getdents() does not guarantee that the file descriptor provided is a directory.
int- File descriptor from which to read the entries.
struct linux_dirent*- Pointer to buffer of size
countfor the results.
unsigned int- Number of bytes of data that can be stored in
To trace directory entries read from a file descriptor.
Example Use Case¶
This event can be used to trace files and directories read by a process. This can be used to aid debugging as you can easily trace a program’s file access operations to find out if it is reading unexpected files or directories.
count argument must be large enough to accommodate the data returned. Due to a kernel limitation, the maximum size of one
struct linux_dirent is
2044 bytes. If the
count argument is smaller than that, the syscall can read more data than the
count argument allows, potentially leading to a buffer overflow.
open()- Reads directory entries from a file descriptor.
readdir()- Reads directory entries.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.