1

I have a Rust program that uses a C FFI, and I would like to instrument any time a function from that C FFI is called, and the arguments passed to it.

Im developing on macOS, and it seems like DTrace is a good fit, but with the macOS SIP enabled DTrace does not work well. I do not want to disable SIP.

I was looking at using this DTrace provider: pid$target:::entry

Questions:

  • Is there a better way to do this on macOS/Rust?

  • What is the best OS to run as a VM in order to use DTrace/eBPF on my Rust program?

zino
  • 1,222
  • 2
  • 17
  • 47
  • 2
    I was chalking up an answer but I'll ask you here instead - how are you running into `SIP`? It is only enabled on common "protected" directories (`Applications`, `private`, `System` and a couple of others). Are you trying to profile something you've moved there? – Sébastien Renauld Sep 02 '19 at 20:01
  • `sudo dtrace -s script.d -c "./t.sh"` results in `dtrace: failed to execute ./t.sh: dtrace cannot control executables signed with restricted entitlements`... `sudo dtrace -s script.d -c "cargo test test_name --package runtime -- --nocapture --test-threads=1"` results in `dtrace: script 'b.d' matched 258 probes`, but does not print the output. The test starts OS threads, and I want to trace those too. I think perhaps the `-c` of dtrace runs cargo as root, so it does not read the workspace, but I cannot see the output of the `-c`? – zino Sep 02 '19 at 20:28
  • Let me guess. Does `t.sh` invoke anything in any of the protected folders? (I forgot `/usr` in my little list) – Sébastien Renauld Sep 02 '19 at 20:46
  • `t.sh` does not work because it is invoked via `/bin/bash` which is protected, I think. I did get it working with `sudo dtrace -s b.d -c "./target/debug/deps/runtime-069474f52c940449 test_name --nocapture --test-threads=1" -o out.txt`, but I have only tested the `pid$target:::entry` probe so far. – zino Sep 02 '19 at 21:16
  • 2
    Just to make sure you're aware: you can re-enable DTrace and leave the rest of SIP enabled. `csrutil enable --without dtrace` – Ken Thomases Sep 02 '19 at 22:56

0 Answers0