Skip to content



mknod - creates a filesystem node (file, device special file or named pipe)


The mknod system call is used to create a filesystem node (file, device special file or named pipe) named by the pathname referred to by pathname. It has associated permissions determined by mode (modified by the process’s umask) and is given the user ID and group ID specified by dev. On success (returning 0), the inode creation time is set to the current time and the last data modification and last file status change times are set to the current time.


  • pathname:const char*[KU] - pathname refers the name of the new file or directory.
  • mode:mode_t[KU] - expresses the mode of the new file in both symbolic and absolute ways. The symbolic mode can use the alphabetical characters “r”, “w”, and “x”.
  • dev:dev_t[KU] - is an unsigned integer specifying the file or directory user ID and group ID.

Available Tags

  • K - Originated from kernel-space.
  • U - Originated from user space (for example, pointer to user space memory used to get it)
  • TOCTOU - Vulnerable to TOCTOU (time of check, time of use)
  • OPT - Optional argument - might not always be available (passed with null value)






To track an event when a program calls mknod.

Example Use Case

An example use-case when mknod can be used is in an application making use of named pipes. The mknod system call can be used to create a named pipe whose pathname is provided by pathname and whose permissions are given by mode.


If the application creating the node points to an existing one, it will fail to be created and will return an EEXIST error.

stat, fstat, lstat - to obtain information about a file or directory specified by pathname. unlink - to remove the specific node.

This document was automatically generated by OpenAI and needs review. It might not be accurate and might contain errors. The authors of Tracee recommend that the user reads the "events.go" source file to understand the events and their arguments better.