Guest
strace is known to add significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will by default intercept all syscalls made by the observed processes, involving several context switches per syscall. Since strace v5.3, the —seccomp-bpf option allows reducing this overhead, by stopping observed processes only at syscalls of interest. This option relies on seccomp-bpf and inherits a few of its limitations. In this talk, we will describe the default behavior of ptrace and strace, to understand the problem —seccomp-bpf addresses. We will then detail the inner workings of the new option, as seen from ptrace (seccomp-stops) and bpf (syscall matching algorithms). Finally, we’ll discuss limitations of the new option and avenues for improvement. Part of this talk is covered in the following blog post:
