lstat64 - Retrieve information about a file
The lstat64() system call is used to retrieve information about a file or symbolic link stored in the file system. The information returned by lstat64() is similar to that returned by stat64(), but lstat64() does not follow symbolic links. The lstat64() system call is useful if the application needs to check the file type of a symbolic link, or if the target of the link might be a directory.
The lstat64() system call is also useful for finding out whether the file is a regular file, a symbolic link, a directory, a char special device, a block special device, a named pipe, a socket, or an executable image.
The lstat64() system call is part of the Base Specifications Issue 6 (SUSv6) and conforms to IEEE Std 1003.1-2008 (POSIX.1).
const char*[K] - File or directory path.
struct stat64*[U] - Pointer to the given structure, containing information about the file.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To detect when the lstat64 system call is invoked.
Example Use Case¶
A file integrity monitoring system or a logging system that needs to keep track of information about the files present in the system can use the lstat64 system call to retrieve information about a given file.
The lstat64 system call is vulnerable to TOCTOU (Time of check, time of use) race condition, where the state of the file can change between the moment it was checked and the moment the system call is executed.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.