Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

eBPF Backend

eBPF is an advanced backend and currently considered experimental.

To use this backend, run tracexec with ebpf as subcommand and the desired frontend as sub-subcommand (tracexec ebpf log or tracexec ebpf tui for example).

A Brief Introduction to eBPF

eBPF is a revolutionary technology for running sandboxed and verified programs directly in the Linux kernel. The in-kernel BPF verifier verifies the program before loading it into the kernel to ensure its safety. For tracing exec, eBPF enables us to attach tracing eBPF programs to kernel functions that handle execve and execveat syscalls and other scheduler tracepoints like sched_process_fork that fires when a process creates a new thread or a new process.

Strengths

  • System-wide tracing makes the eBPF backend well-suited for system observability.
  • Scoped tracing is also implemented.
  • Does not use ptrace(2) so
    • Tracing setuid/setgid binaries is supported.
    • You could combine it with other tools that use ptrace(2), e.g. gdb.

Weaknesses