timer_settime32 - Sets the time of an interval timer
timer_settime32 is used to set the time of an interval timer, based on the
timer_id, to a new value stored in the
new argument. The timer will be reset to
new after the timer expires. The
flags argument can be passed to determine how the timer behaves when it expires. The previous timer value is stored in the
Whenever the timer expires, the timer value is reset to
new and the associated signal is sent to the process specified when the timer was set.
One advantage of using this system call is that the interval timer is reset automatically each time it expires, which eliminates the cost of checking the timer value and resetting it each time.
However, one disadvantage is that the timer does not halt when a signal is sent to the process, as the timer will still reset.
timer_t[K] - Timer identifier
int[K] - Flags to determine timer behavior
struct old_itimerspec32*[K, U] - Pointer to new timer value
struct old_itimerspec32*[K, U, TOCTOU, OPT] - Pointer to old timer value.
- K - Originated from kernel-space.
- U - Originated from user space (for example, pointer to user space memory used to get it)
- TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
- OPT - Optional argument - might not always be available (passed with null value)
Kprobe + Kretprobe
Hooking this function can be used to gain information about the context in which a timer is being set.
Hooking this function can be used to gain information about the context in which a timer is being set or modified.
Example Use Case¶
This system call can be used to track when a certain program takes longer than expected to execute, as well as track other events that may occur periodically.
One issue with timer_settime32 is that the time may not be as accurate as desired, as the operating system may adjust times to conserve system resources.
The related events to timer_settime32 are timer_gettime32, timer_delete and timer_create.
This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.