llistxattr - get extended attribute names for a file
llistxattr syscall is used to retrieve the list of names of extended attributes associated with the specified file path. The names are stored as a NULL-terminated array of strings in the buffer pointed to by
list. The buffer should have a size of
size bytes. The size can be found by calling
fgetxattr on the file with a NULL buffer. If the list size exceeds
ERANGE is returned, and a higher size should be used.
const char*[K] - path to the file or directory
char*[K,U] - buffer used to transfer attribute names
size_t[K] - size of buffer for attribute list
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobes and Uprobe.
Capturing attempts to retrieve a list of extended attributes associated with a file.
Example Use Case¶
A monitoring app is monitoring and securing user data to determine if a user is engaging in a forbidden behavior. The app uses the
llistxattr syscall to determine what extended attributes are associated with the user files.
This syscall may be vulnerable to TOCTOU (time-of-check-time-of-use) race conditions.
fgetxattr- get the value of a single extended attribute for a file
lgetxattr- get the value of an extended attribute for a file
setxattr- set an extended attribute for a file
lsetxattr- set an extended attribute for a file relative to a directory
removexattr- remove an extended attribute for a file or directory
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.