linkat - create a link to a file or directory
linkat system call creates a new link to an existing file or directory, with the pathname specified by
newpath. This can be used to create hard links across different file systems, and is especially useful when multiple copies of a file are present in different directories. The
flags argument can be used to control the behavior of
linkat with regard to symlinks, directory structure, and other aspects of the call.
int[K] - file descriptor for the old directory. If
oldpathrelative to the current working directory.
const char*[U] - path to the existing file or directory to link from. Must be a relative or absolute path.
int[K] - file descriptor for the new directory. If
newpathrelative to the current working directory.
const char*[U] - path to the existing file or directory to link to. Must be a relative or absolute path.
unsigned int[K] - control behavior of
linkat. Flag values may include
AT_EMPTY_PATH. If a negative flag value is passed, then the
flagsparameter is ignored.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To trace the system call linkat
Example Use Case¶
To monitor a system running multiple different file systems and identify links being created between them.
AT_EMPTY_PATH is used to pass the
newpath argument, the path name is resolved with the current working directory. If a process changes its working directory, the result may differ from the result from the previous call, so this could be a security issue.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.