Brussels / 1 & 2 February 2020


strace --seccomp-bpf: a look under the hood

strace is known to add significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will by default intercept all syscalls made by the observed processes, involving several context switches per syscall. Since strace v5.3, the --seccomp-bpf option allows reducing this overhead, by stopping observed processes only at syscalls of interest. This option relies on seccomp-bpf and inherits a few of its limitations.

In this talk, we will describe the default behavior of ptrace and strace, to understand the problem --seccomp-bpf addresses. We will then detail the inner workings of the new option, as seen from ptrace (seccomp-stops) and bpf (syscall matching algorithms). Finally, we'll discuss limitations of the new option and avenues for improvement.

  • Problem addressed and ptrace default behavior
  • seccomp-bpf, SECCOMP_RET_TRACE, and the new behavior
  • cBPF syscall matching algorithms
  • Main limitations: working together with -p and -f
  • Avenues for improvements

Part of this talk is covered in the following blog post:


Paul Chaignon