statx syscall is used to get information about a filesystem object. It's similar to the
stat syscall, but supports a more fine-grained mask argument which controls which fields are returned.
statx allows to get information about various filesystem objects (like regular files, directories, links). Its main advantage over the
stat syscall is the ability to specify a mask argument which controls which fields are returned in the
struct statx pointer argument. This reduces the amount of system calls to retrieve multiple bits of information about a filesystem object, and makes the call more efficient.
statx supports some flags which modify the operation, like AT_NO_AUTOMOUNT which tell the system not to mount a filesystem automatically when necessary.
statx syscall is part of the new libpfc library which simplifies common filesystem operation.
int- File descriptor for a directory from which the relative path is evaluated, or
AT_FDCWDfor the current working directory.
const char*[U] - Null-terminated pathname relative to the
int[K] - Flags which modify the operation. See the
statxmanual page for the available set of flags.
unsigned int[K] - Bitmask field which defines what fields of the
struct statxpointer argument to populate.
struct statx*[U] - Pointer to a
struct statxwhich will be populated with the information from the filesystem object, according to the
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
To observe calls to the
statx syscall, and get information about the arguments being passed.
Example Use Case¶
You can use
statx to get information about a file in order to determine if it should be included in a tarball, like when making a backup or when creating an archive. By specifying the appropriate bitmask for the
mask argument, you can retrieve only the necessary information.
The kernel does not support the
FOLLOW flag, which enables the syscall to follow symbolic links. This limits the usefulness of the syscall when dealing with links.
stat- Syscall to get information about a filesystem object, which does not support a bitmask argument.
fstatat- Syscall to get information about a filesystem object given a file descriptor and a relative path.
openat- Syscall to open a file given a file descriptor and a relative path.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.