Skip to content



newfstatat - obtains information about a file relative to a directory file descriptor


The newfstatat() system call is used to obtain information about a file relative to a directory file descriptor. It is similar the fstat() call, but the file descriptor is related to a directory in which the pathname is relative to. The dirfd parameter of this call is an open file descriptor for a directory, and the pathname parameter is a pathname within that directory; the system call then does the same sort of thing with this file as fstat() does for a given file descriptor. The flags parameter of this call can have different values indicating the behaviour of this call. Returned information about the file will be stored in the statbuf buffer.

Are there any edge-cases, drawbacks or advantages of using it?

The advantage of using newfstatat() is that it is able to obtain information about a file within a directory without requiring a full pathname, just a filename relative to the directory. The main drawback of using newfstatat() is its lack of support for certain flags that fstat() or stat() might provide.


  • dirfd: int[K] - an open file descriptor for the directory.
  • pathname: const char*[U] - the pathname of the file relative to the directory.
  • statbuf: struct stat*[K] - address where information about the file is returned.
  • flags: int[K] - flags describing the behaviour of the call.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Kprobe + Kretprobe


Capturing the file descriptor, flags and pathname arguments and returning the updated file stats.





To lookup the pathname passed as an argument and ensure it is valid.

Example Use Case

This event could be used to monitor file access attempts within a directory, such as attempts to access a configuration file or secret file, by logging the pathname of the file and the status of the operation.


newfstatat() is not able to provide information based on certain flags that would be used with fstat() and stat().

  • fstat()
  • stat()

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.