strace is known to add significant overhead to any application it traces.
Even when users are interested in a handful of syscalls, strace will by
default intercept all syscalls made by the observed processes, involving
several context switches per syscall.
Since strace v5.3, the
--seccomp-bpf option allows reducing this overhead, by stopping observed
processes only at syscalls of interest.
This option relies on seccomp-bpf
and inherits a few of its limitations.
In this talk, we will describe the default behavior of ptrace and strace,
to understand the problem --seccomp-bpf addresses.
We will then detail
the inner workings of the new option, as seen from ptrace (seccomp-stops)
and bpf (syscall matching algorithms).
Finally, we'll discuss limitations
of the new option and avenues for improvement.
Problem addressed and ptrace default behavior
seccomp-bpf, SECCOMP_RET_TRACE, and the new behavior
cBPF syscall matching algorithms
Main limitations: working together with -p and -f
Avenues for improvements
Part of this talk is covered in the following blog post: