Skip to content



mkdirat - create a directory with a given path relative to the directory referenced by the file descriptor


The mkdirat() system call creates a new directory with the given name relative to the directory referenced by the file descriptor. The argument mode specifies the permissions to use. The newly created directory will be an empty directory and will be owned by the effective user ID of the process.

The call is useful when you want to restrict the creation of new directories to a certain directory, due to security matters. When dirfd is AT_FDCWD, the current working directory is used as the starting point. Edge-cases to consider are when the pathname argument is not absolute, when the pathname is longer than PATH_MAX, when the dirfd argument is invalid, or when the mode argument is invalid.


  • dirfd:int[K] - open directory file descriptor used as the relative path for the new directory.
  • pathname:const char*[KU] - pathname of the created directory.
  • mode:mode_t[K] - File permission bits for the created directory.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)






To track when the directory is created

Example Use Case

mkdirat() can be useful when tracking the creation of directories, for security reasons. For example, it can be used to detect malicious activity where a process is creating multiple malicious directories in quick succession.


mkdirat() may fail due to missing or insufficient permissions, or due to a long pathname argument.

  • openat()
  • access()
  • chmod()
  • rmdir()

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.