# System Calls

The boundary between user-space and kernel-space can be crossed using system calls (aka syscalls). These are the functions that are supported by the kernel. They can be split into some categories:

  • filesystem management
  • processes management
  • other

For example, to execute a binary file, the execve syscall should be used.

We can see what system calls are invoked by any program by running strace. For example, strace ls will show the system calls invoked by the ls program.


strace uses a ptrace (opens new window) system call to work.

# libc

System calls are not C functions. They don't use the call stack. Instead, we run them via interrupts on CPU. We have to set an appropriate number in registers, provide required arguments, and then we can invoke the interrupt. Linux kernel registers handler for that interrupt and it is able to act on the system call. That execution is the kernel-mode operation.

User-space programs can invoke system calls via abstraction provided by the standard C library (like glibc (opens new window), musl (opens new window), or other). Such a library covers the whole spectrum of syscalls that the kernel supports.

We can see which libc functions are being used by a program by using ltrace. Example: ltrace ls.

syscall function

libc implementations have a function syscall which allows us to invoke the syscall explicitly, without any additional "overhead". It could be useful if our kernel supports some system call not covered by our version of libc.

An alternative would be to write the assembly code to invoke that system call.

# References

Last Updated: 11/28/2022, 9:27:43 AM