strace is known to add significant overhead to any application it traces.
Even when users are interested in a handful of syscalls, strace will by
default intercept all syscalls made by the observed processes, involving
several context switches per syscall. Since strace v5.3, the
--seccomp-bpf
option allows reducing this overhead, by stopping observed
processes only at syscalls of interest. This option relies on seccomp-bpf
and inherits a few of its limitations.
In this talk, we will describe the default behavior of ptrace and strace,
to understand the problem --seccomp-bpf
addresses. We will then detail
the inner workings of the new option, as seen from ptrace (seccomp-stops)
and bpf (syscall matching algorithms). Finally, we'll discuss limitations
of the new option and avenues for improvement.
SECCOMP_RET_TRACE
, and the new behavior-p
and -f
Part of this talk is covered in the following blog post: https://pchaigno.github.io/strace/2019/10/02/introducing-strace-seccomp-bpf.html.
Speakers: Paul Chaignon