Skip to content



chroot() - changes the root directory of a process


The chroot() system call changes the root directory of the calling process to the path specified in the path argument. This directory will be the new root directory for the calling process and all its children. The chroot() system call restricts the ability of a process to access files outside the new root directory. The process must have root privileges in order to successfully call chroot().

Edge cases/drawbacks: * This call should only be used under extreme circumstances since it is not reversible.


  • path:const char* - path of the new root directory.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)






Hooked to detect a process that has been successfully chrooted.

Example Use Case

It can be used to detect malicious activity when a process inside the system is attempting to break out of its jailed environment.


The chroot() syscall should be used with extreme caution since it is not reversible and can be easily misused.

  • chdir - changes the current working directory of a process.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.