We're sorry but this page doesn't work properly without JavaScript enabled. Please enable it to continue.
Feedback

strace --seccomp-bpf: a look under the hood

Formal Metadata

Title
strace --seccomp-bpf: a look under the hood
Title of Series
Number of Parts
490
Author
License
CC Attribution 2.0 Belgium:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Identifiers
Publisher
Release Date
Language

Content Metadata

Subject Area
Genre
Abstract
strace is known to add significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will by default intercept all syscalls made by the observed processes, involving several context switches per syscall. Since strace v5.3, the --seccomp-bpf option allows reducing this overhead, by stopping observed processes only at syscalls of interest. This option relies on seccomp-bpf and inherits a few of its limitations. In this talk, we will describe the default behavior of ptrace and strace, to understand the problem --seccomp-bpf addresses. We will then detail the inner workings of the new option, as seen from ptrace (seccomp-stops) and bpf (syscall matching algorithms). Finally, we'll discuss limitations of the new option and avenues for improvement. Problem addressed and ptrace default behavior seccomp-bpf, SECCOMP_RET_TRACE, and the new behavior cBPF syscall matching algorithms Main limitations: working together with -p and -f Avenues for improvements