v0.6.1

• Docs: document dependencies for building in INSTALL.md.
• CI: Bump ubuntu to 24.04, with clang 18 as default clang.
• Previously, when building tracexec, even if --no-default-feaures is specified,
  libbpf still gets vendored once because it is also depended in libbpf-cargo build dependency.
  This release fixes it.
• Fix the help entry of breakpoint manager.
• Fix: eBPF: only remove pgid from closure if follow-forks
• Fix: eBPF: simplify program to make it load on kernel >= 6.8
• Fix: eBPF: add a temporary workaround(d7f23b4) to make it load in release mode on new kernels.
  A side effect is some empty printk output in /sys/kernel/debug/tracing/trace_pipe. See the commit for more details.

v0.6.1-rc.1

• Docs: document dependencies for building in INSTALL.md.
• CI: Bump ubuntu to 24.04, with clang 18 as default clang.
• Previously, when building tracexec, even if --no-default-feaures is specified,
  libbpf still gets vendored once because it is also depended in libbpf-cargo build dependency.
  This release fixes it.
• Fix the help entry of breakpoint manager.
• Fix: eBPF: only remove pgid from closure if follow-forks
• Fix: eBPF: simplify program to make it load on kernel >= 6.8
• Fix: eBPF: add a temporary workaround(d7f23b4) to make it load in release mode on new kernels.
  A side effect is some empty printk output in /sys/kernel/debug/tracing/trace_pipe. See the commit for more details.

v0.6.1-beta.2

• Docs: document dependencies for building in INSTALL.md.
• CI: Bump ubuntu to 24.04, with clang 18 as default clang.
• Previously, when building tracexec, even if --no-default-feaures is specified,
  libbpf still gets vendored once because it is also depended in libbpf-cargo build dependency.
  This release fixes it.
• Fix the help entry of breakpoint manager.
• Fix: eBPF: only remove pgid from closure if follow-forks
• Fix: eBPF: simplify program to make it load on kernel >= 6.8

v0.6.1-beta.1

• Previously, when building tracexec, even if --no-default-feaures is specified,
  libbpf still gets vendored once because it is also depended in libbpf-cargo build dependency.
  This release fixes it.
• Fix the help entry of breakpoint manager.
• Fix: eBPF: only remove pgid from closure if follow-forks
• Fix: eBPF: simplify program to make it load on kernel >= 6.8

v0.6.0 featuring new eBPF backend

I am happy to announce that v0.6 brings the exciting eBPF backend🎉🎉🎉!

The eBPF backend supports system-wide exec tracing as well as good old follow-forks behavior.
It is still considered experimental but feel free to try it out! It should work on 6.x kernels.

Changes since v0.5.2:

Installation

• The installation doc has been moved to INSTALL.md.
• Statically linked musl builds are no longer available due to libbpf-sys fails to compile with musl.
  • As an alternative, statically linked glibc builds are now available.
• New feature flags:
  • recommended: This enables the recommended functionalities of tracexec
  • ebpf: eBPF backend that doesn't use ptrace and could be used for system wide tracing
  • ebpf-debug: Not meant for end users. This flag enables debug logging to /sys/kernel/debug/tracing/trace_pipe and some debug checks.
  • static: Statically link libelf, zlib and libbpf.
  • vendored: Vendoring libelf, zlib and libbpf, implies static.
  • vendored-libbpf: Vendoring libbpf and statically link to it.

By default, we enable the recommended and vendored-libbpf features. This means that we are dynamically linking zlib and libelf but statically linking libbpf. This choice is made because zlib and libelf are usually installed on most systems but libbpf is usually not.

To dynamically link to libbpf, turn off default features and enable recommended feature:

Breaking Changes

• Build with musl is no longer supported.
• Additional dependencies are required to build tracexec.
• The config file format should be updated.
  • default_external_command is moved to debugger section.
  • seccomp_bpf is moved to ptrace section.
  • modifier config section now also applies to eBPF backend.
  • tui, log config section now also apply to corresponding commands of eBPF backend.

Added

• Add riscv64 support to seccomp feature (Note: seccompiler still doesn't support riscv64 yet. This would require using a fork)
• Add experimental eBPF backend with log, tui and collect commands.

Changed

• Update dependencies
• Internal refactor
• TUI: Performance improvement for details popup.

Fixed

• For experimental fd in cmdline feature, use <> instead of > for added fds.
• TUI: don't show layout help item when there's only one pane
• TUI: fix crash caused by Rect mismatch, joshka/tui-widgets#33
• When comparing fds, we now compare the mount id and inode number instead of naively comparing the path.

v0.6.0-beta.5

I am happy to announce that v0.6 brings the exciting eBPF backend🎉🎉🎉!

The eBPF backend supports system-wide exec tracing as well as good old follow-forks behavior.
It is still considered experimental but feel free to try it out! It should work on 6.x kernels.

Changes since v0.5.2:

Installation

• The installation doc has been moved to INSTALL.md.
• Statically linked musl builds are no longer available due to libbpf-sys fails to compile with musl.
  • As an alternative, statically linked glibc builds are now available.
• New feature flags:
  • recommended: This enables the recommended functionalities of tracexec
  • ebpf: eBPF backend that doesn't use ptrace and could be used for system wide tracing
  • ebpf-debug: Not meant for end users. This flag enables debug logging to /sys/kernel/debug/tracing/trace_pipe and some debug checks.
  • static: Statically link libelf, zlib and libbpf.
  • vendored: Vendoring libelf, zlib and libbpf, implies static.
  • vendored-libbpf: Vendoring libbpf and statically link to it.

By default, we enable the recommended and vendored-libbpf features. This means that we are dynamically linking zlib and libelf but statically linking libbpf. This choice is made because zlib and libelf are usually installed on most systems but libbpf is usually not.

To dynamically link to libbpf, turn off default features and enable recommended feature:

Breaking Changes

• Build with musl is no longer supported.
• Additional dependencies are required to build tracexec.
• The config file format should be updated.
  • default_external_command is moved to debugger section.
  • seccomp_bpf is moved to ptrace section.
  • modifier config section now also applies to eBPF backend.
  • tui, log config section now also apply to corresponding commands of eBPF backend.

Added

• Add riscv64 support to seccomp feature (Note: seccompiler still doesn't support riscv64 yet. This would require using a fork)
• Add experimental eBPF backend with log, tui and collect commands.

Changed

• Update dependencies
• Internal refactor
• TUI: Performance improvement for details popup.

Fixed

• For experimental fd in cmdline feature, use <> instead of > for added fds.
• TUI: don't show layout help item when there's only one pane
• TUI: fix crash caused by Rect mismatch, joshka/tui-widgets#33
• When comparing fds, we now compare the mount id and inode number instead of naively comparing the path.

v0.5.2

Changes since v0.5.1:

Show error when tracer thread crashed(e.g. when the command doesn't exist). Previously it hangs when tracer thread crashes.

Starting with this version, the tags are signed with my gpg key. The public key can be found here: http://keyserver.ubuntu.com:11371/pks/lookup?search=17AADD6726DDC58B8EE5881757670CCFA42CCF0A&fingerprint=on&op=index

v0.5.1

Changes since v0.5.0:

Fix an incorrectly placed continue statement that causes tracee to hang when SIGALRM is sent to tracee.

v0.5.0 featuring data export and user-level profile

Changes since v0.4.1:

Features

The exec events can now be collected and saved as JSON stream or JSON format!
This feature is implemented by the new collect subcommand.

The JSON stream format is newline-delimited JSONs and when --pretty(which prettifies the JSON) is not enabled,
it is also a JSON Lines text file.
The first JSON of the JSON stream contains metadata like tracexec version and baseline environment information.
Other JSONs are exec events.

The JSON format is a big JSON object that contains metadata and an array of exec events in the events field.

And, tracexec now supports user-level profile🎉!

The profile file is a toml file that can be used to set fallback options.
It should be placed at $XDG_CONFIG_HOME/tracexec/ or $HOME/.config/tracexec/ and named config.toml.

A template profile file can be found at https://github.com/kxxt/tracexec/blob/main/config.toml

Note that the profile format is not stable yet and may change in the future. You may need to update your profile file when upgrading tracexec.

Other changes

• Add --profile and --no-profile to load non-default profile and ignore profile, respectively.
• Update dependencies.
• Internal: Add a ruby script to update README.
• Internal: Some refactor work.

v0.4.1

Changes since v0.4.0:

• Update dependencies, notably:
  • rataui to v0.27.0, and its friend crates
  • shell-quote to v0.7.1. The escape of utf8 characters is now better.
  • chore: run cargo update to get rid of yanked bytes 1.6.0
• Perf: Log Mode: Don't accumulate msgs on unbounded channel
• Docs: Update crate description