On Sun, Nov 14, 2021 at 2:44 AM Nadav Czerninski <nadavcze@xxxxxxxxx> wrote: > > > > > I am looking for a way to monitor syscalls of specific libraries inside my program by intercepting and logging them, but only if their origin is from a specific set of python/java libraries. > > I think I’ve figured out a way to do this, but it seems to me that there must be a more elegant way. > > My current (theoretical) solution is: > > 1. At the process initialization, load an ebpf program that can monitor syscalls > > 2. At the beginning of each function which I want to monitor, attach the ebpf program to enable the monitoring state. > > 3. At the end of each function which I want to monitor, detach the ebpf program to disable the monitoring state. > > > > Does this solution make sense? > > Is there a better way you recommend doing it? I've also tried using seccomp but unfortunately I could not find a way to use it for only a specific library. > > > I’ve understood that eBPF sometimes doesn’t work well in docker containers, do you think this solution will have any problems running inside a container? > Hi Nadav, Sorry for the delay. The best is to ask such questions on bpf@vger mailing list. I suspect "attach at the beginning" won't really work, since it will be missing events. Probably better to attach once and then filter python/java by pid/tid inside bpf program. Similar filtering can be done based on cgroup_id == container.
