Skip to content



link - create hard links to a file


The link() system call is used to create a link or hard link between two files. It creates a new name for an existing file. A hard link is essentially a directory entry that associates a name with a file on a particular file system. If a file has multiple hard links, any of these names can be used to read, write, open, or delete from the file.

There are some edge cases that might arise when using this system call. One of them is that the user does not have privileges to create a link in the specified directory. Another is that if the user tries to make a link to a file that is located in another file system, then it will be rejected. Also, there is no way to restrict the number of hard links to a file, which means that it can easily consume a lot of storage space.

However, there are advantages in using the link() system call. Creating hard links is a fast process since it does not require any disk block transfer. Moreover, since files are linked together, operations done in one file are reflected in the other. This can be useful when then need to update multiple copies of the same file simultaneously.


  • oldpath: const char*[U] - Path to existing file.
  • newpath:const char*[U] - Path to create the link at.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)





To detect and trace creating of directory links

Example Use Case

The link() system call can be used to detect and trace malicious or suspicious file modification. For example, if a malicious user is trying to modify or delete files in a system, creating/deleting a hard link to the file is one way to do this. Tracking the link() system call will notify if any files are modified in this way.


The link() system call is vulnerable to TOCTOU (time of check, time of use) race conditions, in which different users can execute different instruction sequences between check and use of file links, with potential security implications.

  • unlink - system call that deletes the given file name.
  • unlinkat - system call that deletes the file at the specified directory.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.