Login/Register
Mac OSX: Using dtruss?
Asked Answered
Solved macossystem.diagnosticsdtrace
Z

2

22

I'm trying to dtruss a process in Mac OSX Catalina, however dtrace is reporting an error.

$ sudo dtruss whoami                 
dtrace: system integrity protection is on, some features will not be available

dtrace: failed to execute whoami: (os/kern) failure

I'm basically trying to get a stack trace. Can anyone provide guidance on accomplishing this?

Thanks

Zsa answered 29/3, 2020 at 0:31 Comment(4)
You need to at-least-partly turn off system integrity protection (SIP). This is a cross-site duplicate of several apple.SE questions: this, this, and this.Giesser
curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/straceArmory
is it possible to run dtruss without doing the complicated things suggested in this question/post/answers?Armory
related: #31046075Armory
Z
25

This article explains how to accomplish this: Enabling D-Trace on system with SIP

You can disable SIP entirely by doing the following:

  1. Reboot your mac
  2. Hold ⌘R during reboot
  3. From the Utilities menu, run Terminal
  4. Enter the following command
csrutil disable

Alternatively you can re-enable SIP while still allowing dtrace to work by also running the following:

csrutil enable --without dtrace
Zsa answered 29/3, 2020 at 5:11 Comment(7)
Yep, this should work. Note that the dtruss that ships with macOS is fairly basic/buggy so you might want to use a patched version, e.g. github.com/microsoft/scalar/tree/… (disclosure: those are my patches)Sulphurbottom
It's important to prefer the csrutil enable --without dtrace command over a blanket disable. This does the job just as well and doesn't turn off all the security features that may make your system more vulnerable.Nether
Update: I've made a more permanent home for the updated/improved dtruss here: gitlab.com/pmdj/macos-dtrace-scripts - I don't have write access to the original repo anymore, where it was just one small script in an otherwise unrelated project.Sulphurbottom
Not sure if this is specific to Apple silicon or macOS Monterey, but I had to run csrutil enable --without dtrace --without debug in order to get dtrace to work on my M1 Max. According to csrutil status this also disabled kernel integrity protection. Still better than disabling SIP entirely.Jaggers
curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/straceArmory
@CharlieParker, ...have you read that page? It very explicitly says that the copy of strace it refers to is only for Linux, has no binaries for any other platform, and the Mac install counters are all zeros. (That said, I personally don't use Homebrew for other reasons; I consider its so-called "security model" of installing software in a globally shared, user-writable location wildly unsafe, and prefer to stick with a better-designed alternative).Foresail
is it possible to run dtruss without doing the complicated things suggested in this question/post/answers?Armory
L
4

If you are in apple silicon(like m1 now), you should not press ⌘R to enter recovery mode. The alternative is keep pressing the power button until the screen tells you "loading setting...".

And if you want to trace build-in command like ls, csrutil enable --without dtrace cannot work for me, but csrutil disable works.

Luo answered 1/6, 2021 at 11:43 Comment(5)
As mentioned in my comment on the other answer, you can run csrutil enable --without dtrace --without debug to get dtrace working without completely disabling SIP.Jaggers
curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/straceArmory
@CharlieParker yes, strace works for Linux only, not for macOSMintun
is it possible to run dtruss without doing the complicated things suggested in this question/post/answers?Armory
@CharlieParker I don't think it's possible since security policy of macOSLuo

© 2022 - 2024 — McMap. All rights reserved.