Questions about utrace
Frank Ch. Eigler
fche at redhat.com
Mon Sep 7 16:21:22 UTC 2009
Ali Polatel <polatel at gmail.com> writes:
> [...] Basically sydbox intercepts some system calls and checks
> their arguments. Using ptrace, however, it's not possible to stop
> the children only at the entry of system calls we are interested in
> but we have to stop them at _every_ system call and check for the
> system call number. [...]
This is because, at the point where the relevant utrace hooks exists,
it does not matter what system call is being run. There is only one
hook, and it takes all syscalls off of the normal path, so by nature
someone must demultiplex after the fact. The utrace way is to make
that someone be the utrace-engine client.
If you want to instrument system calls individually, you may need to
use another technology. (In systemtap we support per-syscall but
system-wide kprobes, and per-thread but syscall-wide utrace probes.)
Per-process per-syscall tracepoint widgetry is under construction but
I don't think it's widely available yet, but that could be your target.
All of this involves kernel-side (module) programming, by the way.
- FChE
More information about the utrace-devel
mailing list