All files in that chroot had codesigning signatures removed. My starting point for getting better tracing results was to let the tool run in a copy of the MacOS base root filesystem via chroot. I had the case that I wanted to trace a binary tool with its child processes that makes a lot of calls to standard cmdline tools and the paths to these executables were hardcoded (i.e. Now we can trace the syscalls it makes □: $ sudo dtruss -t open_nocancel ~/ls -R /Applications/. Which means dtrace works for all non-system executables (like your own app).īut what about system executables? Let’s say we wanted to trace all syscalls made by the /bin/ls utility, we could make a copy of it and remove the code signing signature. executables that live in paths like /bin, /System, etc). SIP only blocks tracing of system executables that ship with MacOS (i.e. In these cases trying to change the SIP mode in the OS (and not recovery mode) fails: $ csrutil enable -without dtrace csrutil: This tool needs to be executed from Recovery OS.Īnd without that trying to use dtrace based tools fails in most cases: $ sudo dtruss ls -R /Applications dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute ls: (os/kern) failure But there’s hope: SIP doesn’t block tracing entirely (For AWS, support has confirmed that it’s not possible at all). Same for Mac CI runners on services like GitHub Actions. It’s also not possible (at least not via self-service to the best of my knowledge) to disable SIP on most Mac Cloud providers, like AWS EC2, Flow Swiss or MacStadium. VNC, Apple Remote Desktop, Teamviewer, etc). However, this only works if you actually can boot into recovery mode - which isn’t the case if your Mac is in a remote place and you can only access it through some sort of software-based Remote Desktop (i.e. The usual way to make dtrace work on MacOS is to boot into recovery mode and disable some of the SIP protections: csrutil enable -without dtrace On all current MacOS versions (Catalina 10.15.x, Big Sur 11.x) System Integrity Protection ( SIP) is enabled by default and prevents most uses of dtrace and other tools and scripts based on it (i.e. Mac cloud instances can’t fully run dtrace The problem
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |