← Back to context

Comment by westurner

3 months ago

Cool tool! Is the inotify directory/file watch count the limit?

I can't seem to remember the name of the pre-containers tool that creates a virtual build root and traps all the file syscalls. It's not strace.

Easier to trace everything an AI runs by running the agent in a container with limited access to specific filesystem volumes.

eBPF is the fastest way to instrument in Linux AFAIU:

Traceleft: https://github.com/ShiftLeftSecurity/traceleft

Tracee: https://github.com/aquasecurity/tracee

Falco docs > Supported events: https://falco.org/docs/reference/rules/supported-events/

Tetragon: https://github.com/cilium/tetragon

strace could have a --diff-fs-syscall-files option:

  strace -p PID -f -F -e trace=file -s 65536

7 comments

westurner

Reply
deemkeen  3 months ago

it uses the os independant fsnotify lib, it surely has its limits. eBPF is great, but linux only, yeah

  • westurner  3 months ago

    On MacOS:

      sudo dtrace -n 'vfs::*:entry { printf("%-16s %-6d %s", execname, pid, probefunc); }'

  sudo dtrace -n 'vfs:lookup:entry { printf("%-16s %-6d %s", execname, pid, copyinstr(arg1)); }'

    TIL Dtrace is included in recent builds of Windows 11 and Server 2025: https://learn.microsoft.com/en-us/windows-hardware/drivers/d... ;

      # Must be run as Administrator
  dtrace -n "syscall::NtCreateFile:entry, syscall::NtReadFile:entry, syscall::NtWriteFile:entry { printf(\"%s (%d) - %s\", execname, pid, probefunc); }"

    It's possible to trace file system calls in Windows with procmon.exe by saving a .pmc config file and then loading it from the CLI:

      procmon.exe
  # uncheck everything except "Show File System Activity"
  # Filter > Drop Filtered Events
  # File > Export Configuration...

  # Must be run as Administrator
  procmon.exe /AcceptEula /Quiet /Minimized /LoadConfig C:\Tools\fs-only.pmc /BackingFile C:\Logs\FileSystemTrace.pml

    It's also possible to trace lower level file system calls in Windows with logman.exe but it's necessary to parse the traces that it generates.

    Then with just bpftrace on Linux:

      sudo bpftrace -e 'tracepoint:syscalls:sys_enter_openat { printf("%-6d %-16s %s\n", pid, comm, str(args.filename)); }'

  sudo bpftrace -e 'kprobe:vfs_read, kprobe:vfs_write, kprobe:vfs_open { printf("%-16s %-6d %s\n", comm, pid, probefunc); }'

    ... According to 2.5pro on the cli strs

    strace, dtrace, and bpftrace could have a --diff-fs-syscall-files option.