25

I'm trying to dtruss a process in Mac OSX Catalina, however dtrace is reporting an error.

$ sudo dtruss whoami dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute whoami: (os/kern) failure

I'm basically trying to get a stack trace. Can anyone provide guidance on accomplishing this?

Thanks

Improve this question
4
  • 1
    You need to at-least-partly turn off system integrity protection (SIP). This is a cross-site duplicate of several apple.SE questions: this, this, and this. Commented Mar 29, 2020 at 3:54
  • curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/strace Commented Jun 13, 2022 at 17:37
  • is it possible to run dtruss without doing the complicated things suggested in this question/post/answers? Commented Feb 23, 2023 at 19:41
  • related: stackoverflow.com/questions/31045575/… Commented Feb 23, 2023 at 19:49

2 Answers 2

Reset to default
28

This article explains how to accomplish this: Enabling D-Trace on system with SIP

You can disable SIP entirely by doing the following:

  1. Reboot your mac
  2. Hold ⌘R during reboot
  3. From the Utilities menu, run Terminal
  4. Enter the following command
csrutil disable

Alternatively you can re-enable SIP while still allowing dtrace to work by also running the following:

csrutil enable --without dtrace
Improve this answer
Sign up to request clarification or add additional context in comments.

7 Comments

Yep, this should work. Note that the dtruss that ships with macOS is fairly basic/buggy so you might want to use a patched version, e.g. github.com/microsoft/scalar/tree/… (disclosure: those are my patches)
It's important to prefer the csrutil enable --without dtrace command over a blanket disable. This does the job just as well and doesn't turn off all the security features that may make your system more vulnerable.
Update: I've made a more permanent home for the updated/improved dtruss here: gitlab.com/pmdj/macos-dtrace-scripts - I don't have write access to the original repo anymore, where it was just one small script in an otherwise unrelated project.
Not sure if this is specific to Apple silicon or macOS Monterey, but I had to run csrutil enable --without dtrace --without debug in order to get dtrace to work on my M1 Max. According to csrutil status this also disabled kernel integrity protection. Still better than disabling SIP entirely.
@CharlieParker, ...have you read that page? It very explicitly says that the copy of strace it refers to is only for Linux, has no binaries for any other platform, and the Mac install counters are all zeros. (That said, I personally don't use Homebrew for other reasons; I consider its so-called "security model" of installing software in a globally shared, user-writable location wildly unsafe, and prefer to stick with a better-designed alternative).
|
5

If you are in apple silicon(like m1 now), you should not press ⌘R to enter recovery mode. The alternative is keep pressing the power button until the screen tells you "loading setting...".

And if you want to trace build-in command like ls, csrutil enable --without dtrace cannot work for me, but csrutil disable works.

Improve this answer

5 Comments

As mentioned in my comment on the other answer, you can run csrutil enable --without dtrace --without debug to get dtrace working without completely disabling SIP.
curious, is there something wrong with using the strace provided by brew? e.g. formulae.brew.sh/formula/strace
@CharlieParker yes, strace works for Linux only, not for macOS
is it possible to run dtruss without doing the complicated things suggested in this question/post/answers?
@CharlieParker I don't think it's possible since security policy of macOS