strace currently adds significant overhead to any application it traces. Even when users are interested in a handful of syscalls, strace will intercept all syscall made by the observed processes, involving several context switches per syscall.

Since Linux 3.5, userspace applications can rely on seccomp-bpf to filter the syscalls they want to trace. In that case, the set of monitored syscalls is filtered in the kernel, using cBPF, before any context switch to userspace. strace could leverage seccomp-bpf to avoid tracing syscalls users don't want. The tracing landscape of Linux also drastically evolved in recent years. In particular, user applications can rely on eBPF programs to filter and aggregate data of interest in the kernel, with low overhead.

During this Google Summer of Code, I will finish and merge the works started to 1) rely on seccomp-bpf to filter syscalls in kernel space and 2) allow strace to use alternative backends. That second work will come with a tracepoint/BPF proof of concept to ensure strace supports diverse backends, beyond the usual ptrace model.



Paul Chaignon


  • Eugene Syromyatnikov
  • ldv