Skip to content



accept4 - a system call for accepting incoming connections on a listening socket


The accept4 system call is used by a server process to accept incoming connections on a listening socket. It is a variant of the accept system call which has an additional parameter flags, which can be used to control how the connection is created. For example, the SOCK_NONBLOCK flag can be used to ensure that the connection is created in non-blocking mode, to avoid blocking the server process in the event of no available clients. Further flags can also be used to control whether the socket is granted exclusive access to the address, and whether credentials are passed with the connection (using the SOCK_PASSCRED flag).

The sockfd parameter is a file descriptor for the listening socket. The addr and addrlen parameters point to a sockaddr structure and an int respectively, and are used to store information about the client connection. Once accepted, the address and length of the connection are copied to these structures. The flags parameter is used to control the type of socket that is created, as described above.


  • sockfd:int[K] - the file descriptor of the listening socket.
  • addr:struct sockaddr*[K,U] - pointer to sockaddr to store the details of the connection.
  • addrlen:int*[K,U] - pointer to an integer to store the length of the struct sockaddr associated with the connection.
  • flags:int[K] - flags to control the type of socket that is created (e.g. SOCK_NONBLOCK), passed as a bitmask.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)




Tracepoint + Kprobe


To monitor the flags parameter of the accept4 syscall

Example Use Case

An example use case would be a web server that needs to listen for incoming connections, but doesn't want to block waiting for them. By using the SOCK_NONBLOCK flag, the server process can instruct the kernel to create the socket in non-blocking mode and return immediately, even if there are no connections available.


One potential issue is with the use of TOCTOU (Time-of-Check-Time-of-Use) attacks. These can occur when the flags parameter is passed with a value that changes between the time of check and the time of use. Therefore, care should be taken to ensure that the parameter is locked before the syscall is invoked.

  • bind - used to bind the sockets to an address
  • listen - used to begin listening for incoming connections
  • select - used to wait for incoming connections in non-blocking mode

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.