Releases: kxxt/tracexec
v0.12.0
New Features
Exec Backtrace
Similar to stack traces, exec events also forms a backtrace.
In TUI, tracexec now supports viewing the backtrace of any exec events by
pressing T.
The exec backtraces shows all the exec events that lead to the selected event.
- For most events, the parent process spawns a new child process to execute the new program. (label
S) - For some event, the parent process tears it self down and directly becomes(executes) the new program. (label
B)
Go To Parent
Sometimes, reading the whole exec backtrace is unnecessary. A light-weight alternative is Go To Parent.
By pressing U on an event, the TUI will jump to and select its parent event.
In details view, pressing U will open the details of the parent event.
And in the details view of an event, we now shows its parent event's commandline.
Fixes
- Greatly improve TUI responsiveness to user input when in following mode.
Misc
- Internal refactor
- UKCI: register ukci as a GC root.
v0.11.0
New Features
tracexec now collects the timestamps of the events.
It is currently hidden by default.
To show the timestamps inline, use --timestamp option.
To control the format of the inline timestamp, use --inline-timestamp-format
(Please refer to https://docs.rs/chrono/latest/chrono/format/strftime/index.html for available specifiers)
Use timestamp.enable config under modifier section to control whether to enable it by default or not
and timestamp.inline_format config to control the format.
Breaking Changes
File descriptors that are O_CLOEXEC(closing upon exec) are hidden by default now.
The rationale behind this change is that most of the time we are only interested to know
which FDs are inherited across exec.
This behavior can be controlled with --hide-cloexec-fds or --no-hide-cloexec-fds options
and hide_cloexec_fds config under modifier section.
Fixes
- Fix caching in UKCI.
Other
- TUI: The order of fields in details view are slightly adjusted.
- Bump dependencies.
- Regular kernel version bumps for UKCI.
v0.10.0
Breaking Changes
- The compile-time
seccomp-bpffeature gate is removed. It is always enabled now.
v0.9.1
Fixes
Fix a bug introduced in v0.9.0 that when seccomp-bpf is turned off, tracexec aborts with an assertion error.
Other
- Massive internal refactor.
- Bump MSRV to 1.85 and edition to 2024.
v0.9.0
Breaking Changes
- MSRV bumps will no longer be a breaking change in future releases.
- Bump MSRV to 1.83
Enhancement
- Add
--max-events/max_eventsoption/config for TUI mode, which limits the
max number of events to keep in memory. This is 1,000,000 by default.
Previously there's no limit and the memory used by the events are not freed
until program exit. Set it to0will disable this limit. - eBPF: update kernels in UKCI. (6.12 LTS is now tested in UKCI)
Fixes
- Fix some ptrace quirks that could cause tracee to hang.
- Fix multi-character input in pseudo terminal.
- Add a new event status for internal failure
- Update dependencies (which gets rid of some yanked crates)
v0.8.2
Notice
There is an LTS kernel regression that affects the experimental eBPF backend for tracexec.
Users on LTS kernel v6.6.64..v6.6.69 experiencing eBPF load errors should upgrade to v6.6.70,
where the patch that causes the regression is reverted. Further investigation is still going on.
Fixes
- tracexec now correctly handles ptrace group stop.
(In other words, the stopping signals are now handled transparently). - Fix missing process state update for the root tracee when it exits.
- CI: misc fixes for nix userspace-kernel integration tests.
Other Changes
- Update dependencies
- Misc CI changes.
- Internal refactor: safer abstraction for ptrace.
- Internal refactor: remove lazy_static
- Internal refactor: replace some static variables with constants (by @Integral-Tech)
- tracexec now uses
PTRACE_SEIZEinstead of settingPTRACE_TRACEMEafter fork. - Specify MSRV in
Cargo.toml. (v0.8.1 is yanked because the incompatible lockfile version change from 3 to 4).
Contributors
Assets 8
v0.8.0
Breaking Changes
The ptrace backend no longer supports kernels that don't support PTRACE_GET_SYSCALL_INFO.
This means that the minimal supported kernel version is now 5.3.
New Features
The ptrace backend now allows tracees to do 32bit syscalls on x64 architecture.
And traces for 32bit exec syscalls are now available in tracexec.
A new feature ebpf-no-rcu-kfuncs is added and disabled by default.
For kernel versions less than 6.2, you'll need to enable this feature to make the eBPF backend work.
Fixes
- Make tests work in non-FHS environment.
Other Changes
- Update dependencies, notably bumping ratatui to 0.29.
- Add a (very rough) nix flake to test the eBPF backend on different kernel versions.
- CI: bump rust to 1.82
v0.7.0
New Features
- The experimental eBPF backend is updated to also monitor 32bit exec on x64 systems.
- I plan to support tracing 32bit exec in ptrace backend as well in 0.8.0 release.
- Previously, all experimental features are only labeled in the help text of CLI.
Now the experimental features are also labeled in TUI:
Deprecation
The support for kernel version < 5.3 is deprecated and will be removed in the future.
It is likely that it will happen in the upcoming 0.8.0 release.
Breaking Changes
Building tracexec with seccomp-bpf feature now requires libseccomp dependency.
By default, we dynamically link to libseccomp. In order to statically link to libseccomp,
please set LIBSECCOMP_LINK_TYPE to static and set LIBSECCOMP_LIB_PATH to the path of
the directory containing libseccomp.a.
Fixes
- ptracer: use
SIGSTOPas sentinel signal. - eBPF:
__TARGET_ARCH_xxdefine gets fixed for arm64 and riscv64(in libbpf-rs: libbpf/libbpf-rs#958 and libbpf/libbpf-rs#959). - Switch
seccomp-bpfdependency crate fromseccompilertolibseccomp.- This unblocks 32bit exec tracing for ptrace backend that I plan to implement in 0.8.0.
- And
seccomp-bpffeature can now be enabled on riscv64.
Internal Changes
- Bump dependencies
- Make clippy more annoying
- eBPF: convert from syscall tracepoint to fentry/fexit
- eBPF: minor refactors
v0.7.0-rc.3
New Features
- The experimental eBPF backend is updated to also monitor 32bit exec on x64 systems.
- I plan to support tracing 32bit exec in ptrace backend as well in 0.8.0 release.
- Previously, all experimental features are only labeled in the help text of CLI.
Now the experimental features are also labeled in TUI:
Deprecation
The support for kernel version < 5.3 is deprecated and will be removed in the future.
It is likely that it will happen in the upcoming 0.8.0 release.
Breaking Changes
Building tracexec with seccomp-bpf feature now requires libseccomp dependency.
By default, we dynamically link to libseccomp. In order to statically link to libseccomp,
please set LIBSECCOMP_LINK_TYPE to static and set LIBSECCOMP_LIB_PATH to the path of
the directory containing libseccomp.a.
Fixes
- ptracer: use
SIGSTOPas sentinel signal. - eBPF:
__TARGET_ARCH_xxdefine gets fixed for arm64 and riscv64(in libbpf-rs: libbpf/libbpf-rs#958 and libbpf/libbpf-rs#959). - Switch
seccomp-bpfdependency crate fromseccompilertolibseccomp.- This unblocks 32bit exec tracing for ptrace backend that I plan to implement in 0.8.0.
- And
seccomp-bpffeature can now be enabled on riscv64.
Internal Changes
- Bump dependencies
- Make clippy more annoying
- eBPF: convert from syscall tracepoint to fentry/fexit
- eBPF: minor refactors
v0.6.2
- Fix: Update dependencies to get rid of yanked futures-util 0.3.30
- Fix: Ensure build-script is built with the same vendoring feature as the main binary
- CI: Fix a typo in CI yaml that caused the released static binaries to be non static.
- CI: Enable eBPF for riscv64.
- CI: Enable static builds for riscv64.