strace seccomp bpf: a look under the hood ( Paul Chaignon) FOSDEM 2020

strace is known to add significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will by default intercept all syscalls made by the observed processes, involving several context switches per syscall. Since strace the seccompbpf option allows reducing this overhead, by stopping observed processes only at syscalls of interest. This option relies on seccompbpf and inherits a few of its limitations. In this talk, we will describe the default behavior of ptrace and strace, to understand the problem seccompbpf addresses. We will then detail the inner workings of the new option, as seen from ptrace (seccompstops) and bpf (syscall matching algorithms). Finally, we ll discuss limitations of the new option and avenues for improvement. Part of this talk is covered in the following blog post: