symlinkat - Creates a symbolic link named by linkpath to an object referenced by target.
Symlinkat creates a symbolic link with the name specified in
linkpath to the object referenced by
target. It differs from
symlink in that
linkpath is relative to the directory file descriptor provided in
Normally, symbolic links can only point to other files located in the same filesystem.
However, when the
target argument is prefixed with
/proc/self/fd/, it can
reference a file descriptor opened by the same process.
There are a few possible edge-cases when using
already exists, the existing link will be overwritten, and if the directory
newdirfd is not writable, a
EACCES error will be returned.
const char*[U] - The target to which the symbolic link points.
int[U] - The file descriptor for the target directory.
const char*[U] - The name of the link to be created.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Trace calls to symlinkat, including the arguments passed to it.
Example Use Case¶
Tracing the origin of symbolic links created in the system. This can be used to monitor privilege escalations and other malicious actions.
target argument can reference parts of the filesystem. This means that if
target contains a relative path, its interpretation will depend on the current working directory of the process.
lstat event can be used to check if a file is a symbolic link, and if so, which file or directory it points to.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.