feat: Support stapsdt

[wkpark]

Dynamic USDT Support via stapsdt and Security Hardening

Enhanced secimport with dynamic USDT support for standard Python and hardened security against optimized mode bypasses.

Key Technical Changes

• Dynamic USDT Support: Integrated stapsdt to support standard Python binaries without DTrace, using a singleton pattern
  for the provider to prevent resource leaks.
• CLI Enhancements: Added detection for WITH_DTRACE and provided detailed installation guides for libstapsdt and stapsdt.

changes

• Implement dynamic USDT probe firing in secure_import using stapsdt to support standard Python binaries without DTrace.
• Replace assert with explicit RuntimeError in sandbox_helper.py
• Update CLI to detect WITH_DTRACE and provide installation guides for libstapsdt and stapsdt.
• Add tests/test_stapsdt_support.py (excluded)
• support uv / add PEP 621 [project] to pyproject.toml (excluded)

References

• https://github.com/sthima/libstapsdt
• https://github.com/linux-usdt/python-stapsdt

Note

I used the Gemini CLI to help with the specific implementation details and drafting this PR description.

See also: linux-usdt/libstapsdt#34

as expected, normal trace.bt will not work.

$ sudo secimport/profiles/trace.bt -c .venv/bin/python3 -o trace0.log .venv/bin/python3
ERROR: couldn't get argument 0 for .venv/bin/python3::function__entry

so I just added some more commits to address this issue.

remain issues

• need to add missing_probes config to work with libstapsdt

diff --git a/secimport/profiles/trace.bt b/secimport/profiles/trace.bt
index 9609ce9..0535b82 100755
--- a/secimport/profiles/trace.bt
+++ b/secimport/profiles/trace.bt
@@ -1,5 +1,9 @@
 #!/usr/bin/env bpftrace

+config = {
+  missing_probes = "ignore";
+}
+
 // A profiling script that logs all the syscalls, per python module.
 // It can be attached to a running process using -p or can be used to trace a python shell interactively.
 //

• the bpftrace works just fine but older version emits some error under arm64. so I prepend bpftrace command like as ./bpftrace to use local bpftrace version. (we might needs some os.getenv("BPFTRACE_BIN", "bpftrace") or somthing.

[avilum]

@wkpark Hey - thanks for the additions! I love this approach.

If I understand it correctly, we better wait for the linux-usdt repo PR to merge the ARM support PR you opened, am I right?

Also, did you test it with the secimport docker container?

Thank you!

[wkpark]

@wkpark Hey - thanks for the additions! I love this approach.

If I understand it correctly, we better wait for the linux-usdt repo PR to merge the ARM support PR you opened, am I right?

I would like to see that PR merged, but the upstream (libstapsdt) hasn't been active for a long time. I don't think it will happen soon, so I think we shouldn't wait for it. Maybe merging this PR first will encourage them.

Also, did you test it with the secimport docker container?

Regarding Docker, it is not fully tested yet. But since the secimport + stapsdt combination worked so well, I wanted to share the code quickly. I will test Docker further very soon.

Thank you!

Thank you for your great project!!

[wkpark]

rebased.
(only minimal changes are applied)