Understanding Linux System Calls With the strace Command

When programs running on Linux want to use resources managed by the operating system (reading files, creating processes, etc.), they make system calls to the OS. The system call operates at the kernel level and performs the necessary operations, leaving control to the calling program. The strace tool provides the ability to monitor these system calls on Linux.

Typical Uses of the Stray Command

To monitor system calls for an application, simply invoke the command with lost in the following format:

strace ls /tmp

However, there are often processes that start much earlier and continue working in the background. Due to any issues, you may want to collect additional information regarding those processes. You can attach lost for any running application by providing the process ID of the process to -P parameters:

strace -p 2759


Trace the chains and fork of an application

With strace you can check all threads and other subprocesses that are a fork of your application using -f flag.

strace -f -p 2759


Checks for certain system calls for misplacement

Sometimes the default output can be quite crowded. If you only want to monitor certain system calls, you can do so with -e parameters:

strace -f -e trace=open,write,close,connect,select -p 19770

To monitor only system calls related to file activity, use -e trace = file:

strace -e trace=file -p 19770

To filter only network related system calls, specify -e trace = network in the command:

strace -e trace=network -p 19770


Get time information in seconds

When exporting system calls, you can use -t parameter to get time information with precision in seconds. Most of the time precision won’t be enough for your needs. In such situations, you can use -tt parameter to get time information with microsecond precision:

strace -tt ls /tmp

Collect system call statistics

With -c you can collect system call statistics as long as you want:

strace -f -c -p 19770

Save log to file

If you run lost for a long time and want to examine the results logs in more detail later, you will need to save the logs. With -o parameter you can specify the file in which strace will save the log:

strace -f -o /tmp/strace.log -e trace=file ls /tmp

Procedure to block ptrace

Using the prctl system call, any application in Linux can prevent itself from being controlled by non-root users with ptrace. If the app deletes PR_SET_DUMPABLE self-flagging via prctl, non-root users won’t be able to control this app with ptrace, even if they have app signaling permission.

One of the most typical uses of this feature is seen in the OpenSSH authentication agent software. Therefore, application control by an application is different from ptrace prevented from authenticating the user.

ptrace and security

Because the ptrace facility is placed in the traditional Linux process model, any software you run on the system with your users has the right to insert malicious code into it. From the simplest xterm engine to advanced web browser applications, such malware can take control of all your other running applications — thanks to the ptrace system call — and copy information important that you don’t realize.

To deal with this situation that many users are not aware of, a protection mechanism has been developed with a security module named Yama in the Linux kernel.

You can control the response to the ptrace system call via /proc/sys/kernel/yama/ptrace_scope file. By default, this file writes a value of 0.

The following values ​​are acceptable:

Value Means
0 Normal behavior: All apps have permission ptrace can be checked.
first Ptrace is restricted: Direct parent of the app only or debug apps allowed by the app with PR_SET_PTRACER options have control. Therefore, the use of gdb program_name and lost_program name will continue to work, but you won’t be able to attach the running application afterwards.
2 Send it to the system administrator: Only apps defined CAP_SYS_PTRACE defined property or subprocess PTRACE_TRACEME optional with prctl can be controlled.
3 Completely disabled: No ptrace allowed under any circumstances. If this property is defined once, you cannot change it again at runtime.

Many developers do not know that applications can disable ptrace on their own through prctl, except for the root user. Although security-related software such as the OpenSSH agent performs these operations, it is not correct to expect the same behavior from all software running on the system.

Recently, some Linux distributions have started to set the default value of ptrace_scope file, described above, first. Therefore, with limited ptrace operations, a more secure working environment is provided system-wide.

Use an example paragraph

Register the form below with your name Ministrace.c. Then you can compile it with the following command:

gcc -o ministrace ministrace.c


#include <sys/ptrace.h>
#include <sys/reg.h>
#include <sys/wait.h>
#include <sys/types.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <string.h>
int wait_for_syscall (pid_t child)
int status;
while (1) {
ptrace(PTRACE_SYSCALL, child, 0, 0);
waitpid(child, &status, 0);
if (WIFSTOPPED(status) && WSTOPSIG(status) & 0x80)
return 0;
if (WIFEXITED(status))
return 1;

int do_child (int argc, char **argv)
char *args [argc+1];
memcpy(args, argv, argc * sizeof(char*));
args[argc] = NULL;
kill(getpid(), SIGSTOP);
return execvp(args[0], args);

int do_trace (pid_t child)
int status, syscall, retval;
waitpid(child, &status, 0);
while(1) {
if (wait_for_syscall(child) != 0) break;

syscall = ptrace(PTRACE_PEEKUSER, child, sizeof(long)*ORIG_RAX);
fprintf(stderr, "syscall(%d) = ", syscall);

if (wait_for_syscall(child) != 0) break;

retval = ptrace(PTRACE_PEEKUSER, child, sizeof(long)*RAX);
fprintf(stderr, "%d
", retval);
return 0;
int main (int argc, char **argv)
if (argc < 2) {
fprintf(stderr, "Usage: %s prog args
", argv[0]);
pid_t child = fork();
if (child == 0) {
return do_child(argc-1, argv+1);
} else {
return do_trace(child);

After compiling the application, you can run any command with Minister and check the output:

You can use thin wire for many purposes

strace can help find bugs in programs that use system resources unnecessarily. Likewise, characteristics that a program exhibits while using operating system resources can also be exposed.

Since strace directly listens to system calls, it can reveal runtime dynamics regardless of whether the code of the running program is open/closed. It is understandable why programs crash when starting using strace.

Similarly, strace helps you understand why a program ended unexpectedly. Therefore, familiarity with strace is very important in Linux kernel development and system administration.


Create your own OS with Linux from Scratch [Linux]

Continue reading

https://www.makeuseof.com/strace-command-linux/ Understanding Linux System Calls With the strace Command

Sarah Ridley

USTimesPost.com is an automatic aggregator of the all world’s media. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials, please contact us by email – admin@ustimespost.com. The content will be deleted within 24 hours.

Related Articles

Back to top button