[lttng-dev] [RFC] lttng-modules system call tracing filtering

Mathieu Desnoyers mathieu.desnoyers at efficios.com
Thu Jul 31 17:21:03 EDT 2014


----- Original Message -----
> From: "Daniel Thibault" <Daniel.Thibault at drdc-rddc.gc.ca>
> To: lttng-dev at lists.lttng.org
> Cc: "Mathieu Desnoyers" <mathieu.desnoyers at efficios.com>, "Julien Desfossez" <jdesfossez at efficios.com>
> Sent: Monday, July 21, 2014 9:37:43 AM
> Subject: RE: [lttng-dev] [RFC] lttng-modules system call tracing filtering
> 
> ----------------------------------------------------------------------
> Date: Sat, 19 Jul 2014 21:39:23 +0000 (UTC)
> From: Mathieu Desnoyers <mathieu.desnoyers at efficios.com>
> Cc: Julien Desfossez <jdesfossez at efficios.com>
> 
> > For the curious, I implement this "filtering" with a per-channel bitmap
> > that represents which system calls to trace.
> > We might need to double-check that I got the NR_syscalls right for each
> > architecture, especially those with
> > compatibility system call tables (64-bit archs having 32-bit compat
> > syscalls). For the common case (all system calls
> > are traced), the pointer to the array is NULL, so this is a simple pointer
> > check, which is less expensive cache-wise
> > than looking up within the bitmap.
> >
> > As far as lttng-tools is concerned, what is a bit different is that system
> > calls don't each get a file descriptor assigned,
> > unlike other tracepoint events. Therefore, we interact with them at the
> > channel level. If we can find a way to send
> > the disable-event command directly to the channel, with the new
> > "u.syscall.disable" flag I added to the lttng ABI,
> >we should be able to use disable-event with syscalls.
> >
> > However, I'm not sure how deeply we need to modify lttng-tools for this.
> >
> > Mathieu
> 
>    Why is the filter per-channel?  Last time I checked, syscalls could only
>    be assigned once per session, therefore there would only be a need for a
>    per-session filter bitmap.  Of course, if the intent is to allow syscalls
>    to be potentially multiply assigned, like user-space events are, then
>    this is the right way to go.

Yes, this is the intent. There are other limitations in lttng-modules that
currently don't allow this, but this is where we aim.

Thanks,

Mathieu

> 
> Daniel U. Thibault
> Protection des systèmes et contremesures (PSC) | Systems Protection &
> Countermeasures (SPC)
> Cyber sécurité pour les missions essentielles (CME) | Mission Critical Cyber
> Security (MCCS)
> RDDC - Centre de recherches de Valcartier | DRDC - Valcartier Research Centre
> 2459 route de la Bravoure
> Québec QC  G3J 1X5
> CANADA
> Vox : (418) 844-4000 x4245
> Fax : (418) 844-4538
> NAC : 918V QSDJ <http://www.travelgis.com/map.asp?addr=918V%20QSDJ>
> Gouvernement du Canada | Government of Canada
> <http://www.valcartier.drdc-rddc.gc.ca/>
> 

-- 
Mathieu Desnoyers
EfficiOS Inc.
http://www.efficios.com



More information about the lttng-dev mailing list