Paul Chaignon's GSoC status report - summary
paul.chaignon at gmail.com
Mon Aug 26 11:37:38 UTC 2019
This email is a summary of the work done during GSoC 2019, with a few
ideas for improvement of seccomp-filter at the end.
- I reworked the z-option patchset  submitted by Burkhard Kohl to the
mailing list 2 years ago. The initial goal was to fix the -z option, to
print only successful syscalls, and introduce a new -Z option, to print
only failing syscalls. The -z option would sometimes print the entry of
failing syscalls. To fix this, we needed to stage the output of strace
until the syscall's return status is known.
This patchset then evolved to introduce a comprehensive status
qualifier, to match syscall return statuses other than failed and
successful (i.e., unfinished, detached, and unavailable).
The last patchset, which was merged into master, is available on the
mailing list , with a complete changelog.
- I reworked the seccomp-filter proof-of-concept  developed by Chen
Jingpiao during GSoC 2018. That patchset leverages seccomp-bpf to
filter syscalls in the kernel instead of in userspace, as currently
implemented by strace, when users only want to see a subset of all
syscalls. The patchset introduces a basic BPF program to match
syscalls. Its last version, with complete changelogs, is available on
the mailing list , but hasn't been merged yet.
- I worked on improvements to the BPF matching algorithm. Specifically, I
developed two new matching algorithms. The first is based on the basic,
linear algorithm, but attempts to match unwanted syscalls instead of
traced syscalls. The second uses bitwise operations to match syscalls
against the set of traced syscalls, encoded in bit arrays. strace then
chooses the best algorithm (i.e., the shortest program) at startup time.
I then evaluated these different algorithms to better understand in what
situation each algorithm is most appropriate and whether the code
complexity they introduce is worth it.
All BPF algorithms, as well as their evaluations, are available on the
mailing list as an RFC patchset .
Besides the last fixes to the seccomp-filter patchset and the new
algorithms (once we've chosen which to keep), there are several
opportunities for improvement:
- The current BPF programs don't handle multiplexing syscalls such as ipc
and socketcall. A special case is needed here to match the first
argument of these syscalls (generally called "call", used to determine
the actual function to call).
- seccomp-filter currently requires -f in strace as the seccomp-bpf
filters are inherited by children of the traced process, and syscalls
will fail if a seccomp-bpf program attempts to trace them (i.e., returns
SECCOMP_RET_TRACE) but there is no userspace tracer. We could remove
the need for -f if the kernel could take a new SECCOMP_SET_MODE_FILTER
flag to indicate seccomp-bpf filters shouldn't be inherited by children
- In debug mode, the selected BPF program is printed by
dump_seccomp_bpf(), which implements its own parsing logic. It should
be possible to reuse print_bpf_fprog() instead, at the cost of some
Thank you Dmitry and Eugene for all your reviews!
1 - https://lists.strace.io/pipermail/strace-devel/2017-June/006510.html
2 - https://lists.strace.io/pipermail/strace-devel/2019-July/008945.html
3 - https://github.com/strace/strace/tree/ppiao/gsoc-2018-final
4 - https://lists.strace.io/pipermail/strace-devel/2019-August/009040.html
5 - https://lists.strace.io/pipermail/strace-devel/2019-August/009058.html
More information about the Strace-devel