statfs64 - obtain information about a mounted file system.
The statfs64 system call obtains information about a mounted file system on the Linux operating system. It copies the file system parameters from the super block structure in the kernel memory to the user land structure
struct statfs64 provided in the
sz specifies the size of the provided
buf structure, so that the kernel can decide which version of the struct will be used. No data will be copied in case the provided
sz size doesn't match the size of the corresponding struct in the kernel.
const char*[U] - path of the file system that should be queried.
size_t[U] - this argument specifies the size of the
bufargument, allowing the kernel to determine which version of the
struct statfs64will be used.
struct statfs64*[U] - pointer to a user-space buffer, where the information collected from the kernel will be stored.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobes + Uprobe
Monitors This syscall, to collect information about the mounted file systems.
Example Use Case¶
It can be used to collect information on mounted file systems, such as available disk space, block size and total number of blocks.
sz can cause issues if the user-space buffer size is not large enough for the corresponding struct size in the kernel.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.