Kernel
What Is Still Missing in System Call Tracing
1. Februar 2026
15:20 – 15:40 In Kalender übernehmen
15:20 – 15:40 In Kalender übernehmen
UA2.114 (Baudoux)
<p>This talk follows last year's presentation "Status and Desiderata for Syscall Tracing and Virtualization Support" and reports on progress and remaining gaps in Linux system call tracing.</p>
<p>The talk presents a set of Linux kernel patches, intended for upstream submission, that address the following limitations and aim to make system call tracing and virtualization more expressive, portable, and efficient.</p>
<p>Over the past year, support for PTRACE_SET_SYSCALL_INFO has been merged into the mainline kernel. While developing a portable version of VUOS across multiple architectures, several limitations of the current tracing interfaces became evident. In particular, skipping a system call by setting its number to -1 is insufficient, as it does not allow the tracer to control the return value or errno, nor to adjust the program counter. As a consequence, the current VUOS proof-of-concept replaces skipped system calls with getpid and fixes up the return value at PTRACE_SYSCALL_INFO_EXIT, doubling the number of context switches and incurring a measurable performance cost. Updating the program counter currently requires non-portable, architecture-specific code using PTRACE_POKEUSER or PTRACE_SETREGSET.</p>
<p>Additional issues arise with seccomp_unotify. Tracing all system calls is difficult because file descriptors must be transferred from the traced task to the tracer; common techniques based on UNIX domain sockets and ancillary messages require sendmsg and recvmsg themselves to be excluded from tracing. Furthermore, there is currently no support for virtualizing the F_DUPFD command of fcntl, nor for allowing a tracer to atomically close a file descriptor in the traced process.</p>
Weitere Infos
| Live Stream | https://live.fosdem.org/watch/ua2114 |
|---|---|
| Format | devroom |
| Sprache | Englisch |
Weitere Sessions
| 01.02.26 |
<p>When a kernel component like a storage driver misbehaves in production, developers face a difficult choice. They either have too little information to solve the bug or they enable slow console-level debug logs that ruin performance. This talk introduces a per-component binary logging mechanism designed to support verbose logging in production with negligible run-time cost.</p> <p>We achieve this efficiency by moving the heavy lifting to build time. using preprocessor macros, we emit parameter ...
|
| 01.02.26 |
<p>For years, Ahmad’s ideal has been simple: unpack a rootfs on a server, mount it over NFS (or usb9pfs), boot directly into it, and everything just works™.</p> <p>But as secure boot becomes the default on many embedded systems, squeezing in a network-booted kernel is getting harder and often falls outside the supported boot flow entirely.</p> <p>Fortunately, some recent improvements in the kernel build system pave the way for a far less invasive netboot setup. This talk gives a quick tour ...
|
| 01.02.26 |
<p>The linux kernel driver model has grown over the years and acquired several different mechanisms for passing device configuration data to platform drivers. This configuration can come from firmware (device-tree, ACPI) or from the kernel code itself (board-files, MFD, auxiliary drivers).</p> <p>For a less experienced driver developer, the different APIs that are used to access device properties can be quite confusing and lead to questions: should I use the OF routines? Maybe fwnode or the ...
|
| 01.02.26 |
<p>A new RFC for Netfilter/nftables arrived recently in the netfilter-devel mailing list [1], introducing flexible math operation support for network packet fields. This could solve some migration problems from iptables to nftables and in addition empower other use-cases.</p> <p>This demo will quickly show how it works with simple real-world scenarios.</p> <p>[1] https://lore.kernel.org/netfilter-devel/20250923152452.3618-1-fmancera@suse.de/</p>
|
| 01.02.26 |
<p>Tracing complex systems often requires insights from both the kernel and userspace. While tools like Linux's ftrace excel at kernel-level observability and LTTng provides low-overhead userspace tracing, unifying these disparate data sources for a holistic view remains a challenge: using LTTng for kernel tracing requires an out-of-tree kernel module, which can be a barrier for many users.</p> <p>This talk introduces bt2-ftrace-to-ctf - a new open-source project designed to bridge this gap. Our ...
|
| 01.02.26 |
<p>Creating filesystem images typically requires mounting, copying files, and hoping your build environment doesn't introduce non-determinism. New capabilities in mkfs.xfs solve both problems. You can now populate an XFS filesystem directly from a directory tree at creation time, no mount required. I'll cover the implementation approach, discuss design, and show how to use it. Useful for distributions, embedded systems, and anyone who needs verifiable filesystem artifacts.</p> <p>Reference ...
|
| 01.02.26 |
<p>Correctness of operating system kernel code is very important. Testing is helpful, but does not always thoroughly uncover all issues. In the Whisper team at Inria, we are exploring the possibility of applying formal verification, using Frama-C, to Linux kernel code. This entails writing specifications, constructing loop invariants, and checking correctness with the support of a SMT solver. This talk will report on the opportunities and challenges encountered.</p>
|
