v0.6.1-beta.1

• Previously, when building tracexec, even if --no-default-feaures is specified,
  libbpf still gets vendored once because it is also depended in libbpf-cargo build dependency.
  This release fixes it.
• Fix the help entry of breakpoint manager.
• Fix: eBPF: only remove pgid from closure if follow-forks
• Fix: eBPF: simplify program to make it load on kernel >= 6.8

v0.6.0 featuring new eBPF backend

I am happy to announce that v0.6 brings the exciting eBPF backend🎉🎉🎉!

The eBPF backend supports system-wide exec tracing as well as good old follow-forks behavior.
It is still considered experimental but feel free to try it out! It should work on 6.x kernels.

Changes since v0.5.2:

Installation

• The installation doc has been moved to INSTALL.md.
• Statically linked musl builds are no longer available due to libbpf-sys fails to compile with musl.
  • As an alternative, statically linked glibc builds are now available.
• New feature flags:
  • recommended: This enables the recommended functionalities of tracexec
  • ebpf: eBPF backend that doesn't use ptrace and could be used for system wide tracing
  • ebpf-debug: Not meant for end users. This flag enables debug logging to /sys/kernel/debug/tracing/trace_pipe and some debug checks.
  • static: Statically link libelf, zlib and libbpf.
  • vendored: Vendoring libelf, zlib and libbpf, implies static.
  • vendored-libbpf: Vendoring libbpf and statically link to it.

By default, we enable the recommended and vendored-libbpf features. This means that we are dynamically linking zlib and libelf but statically linking libbpf. This choice is made because zlib and libelf are usually installed on most systems but libbpf is usually not.

To dynamically link to libbpf, turn off default features and enable recommended feature:

Breaking Changes

• Build with musl is no longer supported.
• Additional dependencies are required to build tracexec.
• The config file format should be updated.
  • default_external_command is moved to debugger section.
  • seccomp_bpf is moved to ptrace section.
  • modifier config section now also applies to eBPF backend.
  • tui, log config section now also apply to corresponding commands of eBPF backend.

Added

• Add riscv64 support to seccomp feature (Note: seccompiler still doesn't support riscv64 yet. This would require using a fork)
• Add experimental eBPF backend with log, tui and collect commands.

Changed

• Update dependencies
• Internal refactor
• TUI: Performance improvement for details popup.

Fixed

• For experimental fd in cmdline feature, use <> instead of > for added fds.
• TUI: don't show layout help item when there's only one pane
• TUI: fix crash caused by Rect mismatch, joshka/tui-widgets#33
• When comparing fds, we now compare the mount id and inode number instead of naively comparing the path.

v0.6.0-beta.5

I am happy to announce that v0.6 brings the exciting eBPF backend🎉🎉🎉!

The eBPF backend supports system-wide exec tracing as well as good old follow-forks behavior.
It is still considered experimental but feel free to try it out! It should work on 6.x kernels.

Changes since v0.5.2:

Installation

• The installation doc has been moved to INSTALL.md.
• Statically linked musl builds are no longer available due to libbpf-sys fails to compile with musl.
  • As an alternative, statically linked glibc builds are now available.
• New feature flags:
  • recommended: This enables the recommended functionalities of tracexec
  • ebpf: eBPF backend that doesn't use ptrace and could be used for system wide tracing
  • ebpf-debug: Not meant for end users. This flag enables debug logging to /sys/kernel/debug/tracing/trace_pipe and some debug checks.
  • static: Statically link libelf, zlib and libbpf.
  • vendored: Vendoring libelf, zlib and libbpf, implies static.
  • vendored-libbpf: Vendoring libbpf and statically link to it.

By default, we enable the recommended and vendored-libbpf features. This means that we are dynamically linking zlib and libelf but statically linking libbpf. This choice is made because zlib and libelf are usually installed on most systems but libbpf is usually not.

To dynamically link to libbpf, turn off default features and enable recommended feature:

Breaking Changes

• Build with musl is no longer supported.
• Additional dependencies are required to build tracexec.
• The config file format should be updated.
  • default_external_command is moved to debugger section.
  • seccomp_bpf is moved to ptrace section.
  • modifier config section now also applies to eBPF backend.
  • tui, log config section now also apply to corresponding commands of eBPF backend.

Added

• Add riscv64 support to seccomp feature (Note: seccompiler still doesn't support riscv64 yet. This would require using a fork)
• Add experimental eBPF backend with log, tui and collect commands.

Changed

• Update dependencies
• Internal refactor
• TUI: Performance improvement for details popup.

Fixed

• For experimental fd in cmdline feature, use <> instead of > for added fds.
• TUI: don't show layout help item when there's only one pane
• TUI: fix crash caused by Rect mismatch, joshka/tui-widgets#33
• When comparing fds, we now compare the mount id and inode number instead of naively comparing the path.

v0.5.2

Changes since v0.5.1:

Show error when tracer thread crashed(e.g. when the command doesn't exist). Previously it hangs when tracer thread crashes.

Starting with this version, the tags are signed with my gpg key. The public key can be found here: http://keyserver.ubuntu.com:11371/pks/lookup?search=17AADD6726DDC58B8EE5881757670CCFA42CCF0A&fingerprint=on&op=index

v0.5.1

Changes since v0.5.0:

Fix an incorrectly placed continue statement that causes tracee to hang when SIGALRM is sent to tracee.

v0.5.0 featuring data export and user-level profile

Changes since v0.4.1:

Features

The exec events can now be collected and saved as JSON stream or JSON format!
This feature is implemented by the new collect subcommand.

The JSON stream format is newline-delimited JSONs and when --pretty(which prettifies the JSON) is not enabled,
it is also a JSON Lines text file.
The first JSON of the JSON stream contains metadata like tracexec version and baseline environment information.
Other JSONs are exec events.

The JSON format is a big JSON object that contains metadata and an array of exec events in the events field.

And, tracexec now supports user-level profile🎉!

The profile file is a toml file that can be used to set fallback options.
It should be placed at $XDG_CONFIG_HOME/tracexec/ or $HOME/.config/tracexec/ and named config.toml.

A template profile file can be found at https://github.com/kxxt/tracexec/blob/main/config.toml

Note that the profile format is not stable yet and may change in the future. You may need to update your profile file when upgrading tracexec.

Other changes

• Add --profile and --no-profile to load non-default profile and ignore profile, respectively.
• Update dependencies.
• Internal: Add a ruby script to update README.
• Internal: Some refactor work.

v0.4.1

Changes since v0.4.0:

• Update dependencies, notably:
  • rataui to v0.27.0, and its friend crates
  • shell-quote to v0.7.1. The escape of utf8 characters is now better.
  • chore: run cargo update to get rid of yanked bytes 1.6.0
• Perf: Log Mode: Don't accumulate msgs on unbounded channel
• Docs: Update crate description

v0.4.0: tracexec can now be used as a debugger launcher!

I am very excited to share that tracexec can now be used as a debugger launcher.

It's usually not trivial or convenient to debug a program executed by a shell/python script(which can use pipes as stdio for the program).
The following video shows how to use tracexec to launch gdb to debug two simple programs piped together by a shell script.

gdb-launcher.mp4

Solves:

• https://stackoverflow.com/questions/5048112/use-gdb-to-debug-a-c-program-called-from-a-shell-script
• https://stackoverflow.com/questions/1456253/gdb-debugging-with-pipe
• https://stackoverflow.com/questions/455544/how-to-load-program-reading-stdin-and-taking-parameters-in-gdb
• https://stackoverflow.com/questions/65936457/debugging-a-specific-subprocess

To learn more about it, read the gdb-launcher example.

Changes since v0.3.1:

Added

• Breakpoints.
  • The breakpoints can be set in CLI(--add-breakpoint/-b) and TUI.
• Managing breakpoint hits.
  • in CLI: option --default-external-command
  • in TUI: Hit Manager
  • Detach, Resume, or Detach, stop and run external command
• --tracer-delay option for setting the polling delay of the tracer, in microseconds. The default is 500 when seccomp-bpf is enabled, otherwise 1.

Changed

• Docs: make the description of --seccomp-bpf more clear

v0.3.1

tracexec v0.3.1 released!

Changes since v0.3.0:

Fixed

• TUI: Fix a bug that the event list is not refreshed when new events are available in some cases.

v0.3.0

tracexec v0.3.0 released!

Changes since v0.2.2:

Added

• Shell completions are now available for bash, elvish, fish, powershell and zsh!
  • Run tracexec generate-completions <SHELL> to get the completion file to install for your favorite shell.
  • Or generate completions when packaging tracexec so that users don't need to install the completions themselves.
• TUI: Toggle showing/hiding CWDS by pressing W.
• Musl builds are now available for x86_64 and aarch64.
• TUI: Add Ctrl+U key binding to bottom help text, which clears the text in the search bar when editing it.

Changed

• TUI: To optimize memory usage(avoiding storing a contiguous string separately),
  the internal regex implementation is switched to regex-cursor from regex.
• TUI: The order of the key bindings in the bottom help text is changed.

Fixed

• Fix build issues on musl.
• TUI: Fix search result not being updated after toggling show/hide CWD/Env.
• TUI: Stop following when navigating through the search results.
• TUI: Fix incorrect wrapping behavior of the bottom key binding help text by updating ratatui and use NBSPs.
• TUI: Fix crash when resizing the terminal by updating ratatui.

Performance

• Store more information as cached arcstr to reduce memory usage.
• Other optimizations to reduce memory usage.