[Ltrace-devel] Welcome + argument question.

Adam Malinowski a.malinowsk2 at partner.samsung.com
Wed Oct 23 07:45:11 UTC 2013 

Hi.
>> I needed a tool to trace system calls blocked by seccomp filter of given
>> process.
>> It turned out that neither strace nor ltrace has such functionality.
>> Ltrace seemed to be simpler to modify :)
>> So I've added cooperation with seccomp to ltrace and enhanced summary a
>> little.
>> If you are interested in such changes I will give it to you.
>> I'm not sure if I did it correctly but it works :)
> What are the changes that you added to ltrace--can you give a short
> paragraph with a description?  Much depends on whether it can be
> integrated into ltrace without hacks, and without exposing
> linux-specific functionality in ltrace core.  I'll also have to go and
> see what seccomp is, I admit ignorance on this subject ;)
>
> Thanks,
> PM
>

Seccomp is kernel tool which can filter system calls and perform
one of five actions:
- ALLOW - the syscall is executed in regular way
- KILL - process trying to execute sauch syscall is killed
- TRAP - process trying to execute sauch syscall is sent SIGSYS signal
- ERRNO - the syscall is noe executed end specified errno value is set
- TRACE - process trying to execute such syscall is killed. But if process
is traced by other process (for example ltrace) it will not be killed but
will be traced. This means that tracing process will receive special
event and if this event is correctly processed the syscall will be executed.
So what i did with ltrace? I added new setting to ptrace which enables
seccomp events, also I added seccomp events handling and added
a little code to handling sysrets. Also I had to add some info to summary
and non summary mode which informs user about seccomp activity.
I added to command line arguments. One of them enables seccomp
cooperation (not enabled by default) and second one enables special
summary feature. This special summary feature is grouping syscalls
matching not only their names (which is now) but also their arguments.
This is useful tool in seccomp trace mode because seccomp allows
to filter syscall even by their arguments and this helps in finding
syscalls one want to block or pass in given process.
This feature is also disabled by default.
I don't think I did any hack and I don't thin hacks are needed to
integrate these functions int ltrace.
Also I'm not trying to force or convince you to get my patches.
I did what I needed and can give you that source code.
Well I think I can but must ensure that company I work at has
noting against that.

Thanks
Adam Malinowski

More information about the Ltrace-devel mailing list