21

I'm trying to dtruss a process in Mac OSX Catalina, however dtrace is reporting an error.

$ sudo dtruss whoami                 
dtrace: system integrity protection is on, some features will not be available

dtrace: failed to execute whoami: (os/kern) failure

I'm basically trying to get a stack trace. Can anyone provide guidance on accomplishing this?

Thanks

  • 1
    You need to at-least-partly turn off system integrity protection (SIP). This is a cross-site duplicate of several apple.SE questions: [this](https://apple.stackexchange.com/questions/208762/now-that-el-capitan-is-rootless-is-there-any-way-to-get-dtrace-working), [this](https://apple.stackexchange.com/questions/343423/opensnoop-dtrace-error-on-enabled-probe-id-5-id-163-syscallopenreturn-i), and [this](https://apple.stackexchange.com/questions/231507/dtrace-script-newproc-d-stopped-working-after-upgrade-because-of-missing-proc). – Gordon Davisson Mar 29 '20 at 03:54
  • curious, is there something wrong with using the `strace` provided by `brew`? e.g. https://formulae.brew.sh/formula/strace – Charlie Parker Jun 13 '22 at 17:37
  • is it possible to run dtruss without doing the complicated things suggested in this question/post/answers? – Charlie Parker Feb 23 '23 at 19:41
  • related: https://stackoverflow.com/questions/31045575/how-to-trace-system-calls-of-a-program-in-mac-os-x – Charlie Parker Feb 23 '23 at 19:49

2 Answers2

20

This article explains how to accomplish this: Enabling D-Trace on system with SIP

You can disable SIP entirely by doing the following:

  1. Reboot your mac
  2. Hold ⌘R during reboot
  3. From the Utilities menu, run Terminal
  4. Enter the following command
csrutil disable

Alternatively you can re-enable SIP while still allowing dtrace to work by also running the following:

csrutil enable --without dtrace
  • 1
    Yep, this should work. Note that the `dtruss` that ships with macOS is fairly basic/buggy so you might want to use a patched version, e.g. https://github.com/microsoft/scalar/tree/08abf3732be892d60e770d0539635f8bbe0fe887/Scripts/Mac/Tracing (disclosure: those are my patches) – pmdj Mar 29 '20 at 10:21
  • 4
    It's important to prefer the `csrutil enable --without dtrace` command over a blanket disable. This does the job just as well and doesn't turn off all the security features that may make your system more vulnerable. – dkaranovich Jun 30 '20 at 21:55
  • 2
    **Update:** I've made a more permanent home for the updated/improved `dtruss` here: https://gitlab.com/pmdj/macos-dtrace-scripts - I don't have write access to the original repo anymore, where it was just one small script in an otherwise unrelated project. – pmdj Jun 01 '21 at 13:19
  • Not sure if this is specific to Apple silicon or macOS Monterey, but I had to run `csrutil enable --without dtrace --without debug` in order to get dtrace to work on my M1 Max. According to `csrutil status` this also disabled kernel integrity protection. Still better than disabling SIP entirely. – Terrance Kennedy Nov 10 '21 at 15:02
  • curious, is there something wrong with using the `strace` provided by `brew`? e.g. https://formulae.brew.sh/formula/strace – Charlie Parker Jun 13 '22 at 17:37
  • @CharlieParker, ...have you read that page? It very explicitly says that the copy of strace it refers to is only for Linux, has no binaries for any other platform, and the Mac install counters are all zeros. (That said, I personally don't use Homebrew for other reasons; I consider its so-called "security model" of installing software in a globally shared, user-writable location wildly unsafe, and prefer to stick with a [better-designed alternative](https://nixos.org/)). – Charles Duffy Sep 09 '22 at 21:33
  • is it possible to run dtruss without doing the complicated things suggested in this question/post/answers? – Charlie Parker Feb 23 '23 at 19:41
4

If you are in apple silicon(like m1 now), you should not press ⌘R to enter recovery mode. The alternative is keep pressing the power button until the screen tells you "loading setting...".

And if you want to trace build-in command like ls, csrutil enable --without dtrace cannot work for me, but csrutil disable works.

MrZ
  • 166
  • 1
  • 1
  • 11