oldstat - get file status (struct __old_kernel_stat) for the given filename
The oldstat system call retrieves the file status (the content of the struct __old_kernel_stat) for the given filename. It fills the given structure with information about the file, like permissions, ownership, size, etc. It is typically used to gather data about a file, before attempting to use it in any way. It is important to note that its results might be subject to change due to the condition of the system (e.g. the user running the oldstat call does not have read access to the requested file).
char*[U] - Pointer to a buffer containing the name of the file whose status is to be retrieved.
struct __old_kernel_stat*[K] - Pointer to the previously allocated oldstat buffer structure into which the status information should be stored.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobe + Kretprobe
To gather information on what files were requested and their stat information before they were found.
Example Use Case¶
For example, an admin logging tool may want to log the oldstat calls of a process to get information about which files were accessed by it.
The information obtained from this event is only valid at the time of retrieval, meaning that subsequent changes to the file might have been made and yield unexpected results. Furthermore, the user running the oldstat system call must have read access to the requested file.
The stat system call is a newer version of the oldstat system call and offers a more robust way of retrieving status about files. The syslog system call also provides information about files being accessed.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.