Beautifying syscall args using kernel headers and eBPF in ‘perf trace’

By Arnaldo Carvalho de Melo, Red Hat Inc.

There are many players driving the addition of features in the kernel to help observe events and filter voluminous information at the source, with the lowest overhead, making (or trying to make) sure that security is kept while helping developers cope with increasingly complex systems.

Showing examples of how these infrastructures can be used, in the kernel sources is the overall objective of tools/. Nevermind that what is there can actually be used to attack this complexity.

The ‘perf trace’tool is one such effort, to get the strace workflow and augment it with tracepoints, callchains, system wide, cgroup and other targets besides those accessible to the original strace, using the the perf and eBPF kernel infrastructures is the goal here.


Conectiva founder. Maintained IPX, LLC, Appletalk legacy protocols. Refactored the TCP/IP stack to reuse non TCP specific parts. Implemented the Linux DCCP stack. Created pahole, a tool to help in optimizing data structures, used in Linux, glibc, KDE, xine & others. Maintainer of the Linux ‘perf’ tools (profiling, tracing, debugging). Works for Red Hat since 2007 on the Real Time group.