Is there a workaround for: "dtrace cannot control executables signed with restricted entitlements"?

Question

It looks like in OS X 10.11 El Capitan, dtruss and dtrace can no longer do what they're meant to do. This is the error I get when I try to run sudo dtruss curl ...:

dtrace: failed to execute curl: dtrace cannot control executables signed with restricted entitlements

I've come across people noticing this problem but so far no solutions.

Is there a way to fix this or work around this?

This looks apropos: http://apple.stackexchange.com/questions/208478/how-do-i-disable-system-integrity-protection-sip-aka-rootless-on-os-x-10-11 — Andrew Henle, Nov 02 '15 at 12:57
Possible duplicate of [dtruss fails on ps on OS X 10.11](http://stackoverflow.com/questions/33275204/dtruss-fails-on-ps-on-os-x-10-11) — kenorb, Apr 08 '16 at 10:14

score 34 · Answer 1 · edited Jul 09 '20 at 02:39

Following up to Alexander Ushakov and Charles' answers:

Once you csrutil enable --without dtrace, there is an alternative to copying the binary: run the binary in one Terminal window and trace the Terminal process itself in another Terminal window.

In the first terminal window, find its PID:

$ echo $$
1154

In the second terminal window, begin the trace:

$ sudo dtruss -p 1154 -f

Back, in the first terminal window, run the process you want to trace:

$ ls

At this point, you should see the trace in the second window. Ignore the entries for the PID you are tracing (e.g., 1154), and the rest are for the process (and its descendants) you are interested in.

1154/0x1499:  sigprocmask(0x3, 0x7FFF53E5C608, 0x0)      = 0x0 0
1154/0x1499:  sigprocmask(0x1, 0x7FFF53E5C614, 0x7FFF53E5C610)       = 0x0 0
3100/0xa9f3:  getpid(0x7FFF82A35344, 0x7FFF82A35334, 0x2000)         = 3100 0
3100/0xa9f3:  sigprocmask(0x3, 0x10BE32EF8, 0x0)         = 0x0 0

In other words you can attach to a running process but dtruss won't start it. That's weird. Sorta seems like a bug. `dtruss -n` works too. This is a much nicer workaround than copying. — Jason Haslam, Aug 13 '16 at 04:21
Does not seem to work on Monterey for me. Getting a very long output with this line at the end: `: probe description syscall:::entry does not match any probes. System Integrity Protection is on` — talz, Sep 05 '22 at 12:36

score 26 · Answer 2 · edited Apr 13 '17 at 12:45

26

For those who want to dtrace system shipped binary after csrutil disable, copyit to a directory that is not "restricted", for example, /tmp

CC@~ $ csrutil status
System Integrity Protection status: disabled.
CC@~ $ cp /bin/echo /tmp
CC@~ $ sudo dtruss /tmp/echo

SYSCALL(args)        = return
thread_selfid(0x0, 0x0, 0x0)         = 46811 0
csops(0x0, 0x0, 0x7FFF51B6CA20)      = 0 0
issetugid(0x0, 0x0, 0x7FFF51B6CA20)      = 0 0
shared_region_check_np(0x7FFF51B6A918, 0x0, 0x7FFF51B6CA20)      = 0 0
stat64("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0x7FFF51B6BEA8, 0x7FFF51B6CA20      = 0 0

See @J.J's comment: https://apple.stackexchange.com/questions/208762/now-that-el-capitan-is-rootless-is-there-any-way-to-get-dtrace-working/224731#224731

edited Apr 13 '17 at 12:45

Community

1
1

answered Jan 24 '16 at 05:53

C.W.

452
1
10
15

1

just a heads-up that this doesn't work for me on El Capitan 10.11.4. I'm trying to work out why Picasa isn't starting and so copied it to /tmp but see: `~$ sudo dtruss -f -t open sudo -u $USER /tmp/Picasa dtrace: failed to execute sudo: dtrace cannot control executables signed with restricted entitlements` – sming Mar 22 '16 at 14:32
2

That would be cause dturss is trying to trace the sudo executable. The second sudo there is not needed. – Grisha Levit May 25 '16 at 01:13
Unfortunately this appears to no longer work. Even after removing the code signature from the copied binary (to verify, `codesign -dv ./echo` gives “./echo: code object is not signed at all”), running `sudo dtruss ./echo` gives me “dtrace: failed to execute ./echo: Could not create symbolicator for task”. – Konrad Rudolph Mar 15 '23 at 22:32

Alexander Ushakov · Answer 3 · 2019-08-06T07:27:25.797

22

As Andrew notices it's because of System Integrity Protection, also known as "rootless".

You can disable it completely or partially (enable just dtrace with some limitations).

Completely disable SIP

Although not recommended by Apple, you can entirely disable System Integrity Protection on you Mac. Here's how:

Boot your Mac into Recovery Mode: reboot it and hold cmd+R until a progress bar appears.

Go to Utilities menu. Choose Terminal there.

Enter this command to disable System Integrity Protection:

$ csrutil disable

It will ask you to reboot — do so and you're free from SIP!

Partially disable SIP

Fortunately, SIP is not monolithic: it's built from many different modules we can disable/enable separately.

Repeat steps 1 and 2 from «Completely disable SIP» section above. Now in Terminal enter these commands:
$ csrutil clear # restore the default configuration first
$ csrutil enable --without dtrace # disable dtrace restrictions *only*
Reboot and enjoy your OS again.

Dtrace starts to work but you're still unable to attach dtrace to restricted processes

edited Aug 06 '19 at 07:27

answered Nov 07 '15 at 15:03

Alexander Ushakov

5,139
3
27
50

6

Note that at the end of those instructions it mentions that doing this *doesn't work*. I'm not entirely sure, but given that the error is about things "signed with restricted entitlements", I think it may actually be unrelated to SIP. – Glyph Nov 18 '15 at 06:27
2

@glyph I've tried this instruction and it works for me. Notice at the end is about "Partially disable SIP" - in this case if you only enable dtrace you still unable to trace **system** processes which are **restricted**. But you'll be able to dtrace other processes. – Alexander Ushakov Nov 24 '15 at 10:57
Do make sure that you target the actual executable; if there's an intermediate script that ultimately calls the executable, dtrace will try to attach to the interpreter, which is likely not to work even with SIP disabled. – Mark Reed Mar 14 '16 at 14:10
1

Is there any workaround to allow dtrace to attach to restricted processes? – Heath Borders Sep 16 '16 at 21:27
That URL is a 404 anyone have a cache or mirror version? – Schneems Sep 28 '17 at 22:24
2

@Schneems Full text of instruction is quoted in the answer – Alexander Ushakov Sep 29 '17 at 11:38
i wonder if anyone knows a way to report that to apple / ask for making the dtrace module/syscalls/probes SIP compatible. anything else seems to be a bit short-sighted / prone to not work soon after. – Florian Heigl Jan 07 '20 at 15:38
csrutil: This tool needs to be executed from Recovery OS. – Taher May 21 '22 at 19:37

score 10 · Answer 4 · answered Oct 11 '17 at 13:24

10

I would post this as a comment but I'm not allowed.

Disabling SIP is not necessary. Just copy the binary to an alternate location and it works just fine:

$ sudo dtruss ping google.com
dtrace: system integrity protection is on, some features will not be available

dtrace: failed to execute ping: dtrace cannot control executables signed with restricted entitlements
$ sudo cp $(which ping) .
$ sudo dtruss ./ping google.com
dtrace: system integrity protection is on, some features will not be available

SYSCALL(args)        = return
PING google.com (172.217.10.78): 56 data bytes
^C
$ csrutil status
System Integrity Protection status: enabled.

For binaries that can still function normally after being copied, this is the best option as it captures the entire lifetime of the process and doesn't require disabling any protections.

answered Oct 11 '17 at 13:24

Jonathan Lynch

557
1
5
12

2

this doens't work for me. I'm trying to trace my own binaries which are not restricted and i still get errors from dtruss. – horseyguy Jan 04 '18 at 20:32
9

Doesn't work for me on Mojave with executable `/sbin/ifconfig`. Output is `dtrace: failed to execute ./ifconfig: (os/kern) failure`. – Werner Henze Nov 29 '18 at 16:35
10

@WernerHenze figured it out! `dtrace` can't attach to `ifconfig` because of the codesigning process Apple uses. Simplfy `codesign --remove-signature ./ifconfig` and it should work! – Max Coplan Sep 09 '19 at 22:40
1

@MaxCoplan That no longer works either, unfortunately (at least not on ARM chips, which might matter). – Konrad Rudolph Mar 15 '23 at 22:40

score 8 · Answer 5 · answered Jan 15 '16 at 23:02

Looks like completely disabling SIP still blocks dtruss for restricted processes:

$ /usr/bin/csrutil status
System Integrity Protection status: disabled.
$ sudo dtruss /bin/echo "blah"
dtrace: failed to execute /bin/echo: dtrace cannot control executables signed with restricted entitlements
$ sw_vers 
ProductName:    Mac OS X
ProductVersion: 10.11.2
BuildVersion:   15C50

score 2 · Answer 6 · answered Jun 25 '17 at 19:12

See my answer on related question "How can get dtrace to run the traced command with non-root priviledges?" [sic].

DTrace can snoop processes that are already running. So, start a background process which waits 1sec for DTrace to start up (sorry for race condition), and snoop the PID of that process.

sudo true && \
(sleep 1; ps) & \
sudo dtrace -n 'syscall:::entry /pid == $1/ {@[probefunc] = count();}' $! \
&& kill $!

Full explanation in linked answer.

Is there a workaround for: "dtrace cannot control executables signed with restricted entitlements"?

6 Answers6

Linked