0

I am entirely new to dtruss, but familiar with strace.

Consider the following Hello World program:

#include <stdio.h>

int main(){
  printf("hello world\n");
}

When I compile and run this on Linux with strace, I get several lines of output, including the following system call:

strace ./HelloWorld
...
write(1, "hello world\n", 12hello world
)           = 12

When I compile and run this on macOS with dtruss, I do not get any system calls.

sudo dtruss -f   ./Hello
Password:
dtrace: system integrity protection is on, some features will not be available

        PID/THRD  SYSCALL(args)                  = return
hello world

Why do I not see a write system call? How can I change my dtruss invocation to show me the system calls?

My understanding is that system integrity protection only applies to system binaries, but I'm happy to learn evidence to the contrary.

Mateusz Piotrowski
  • 8,029
  • 10
  • 53
  • 79
merlin2011
  • 71,677
  • 44
  • 195
  • 329

1 Answers1

2

AFAIK, you need to disable SIP in order to use DTrace on macOS in any meaningful way. It does not matter if you are tracing system binaries or not. SIP seems to still limit DTrace.

If you take a look at the output of dtrace -l, then you'll see that there are no probes related to system call listed. At the same time, if you look at the output of grep 'syscall:.*:.*:.*' /usr/bin/dtruss, then you'll see that dtruss is using the syscall DTrace provider to attach to the system calls.

Mateusz Piotrowski
  • 8,029
  • 10
  • 53
  • 79
  • I got the impression that SIP only applies to system executables from [this post](https://poweruser.blog/using-dtrace-with-sip-enabled-3826a352e64b), but I guess it is out of date? – merlin2011 Mar 02 '23 at 09:31
  • 1
    @merlin2011, yeah, it seems like SIP protects system binaries in some special way. However, the bigger problem is that `dtrace -l` does not even list system call probes. Without those, you can trace neither system nor your own binaries. – Mateusz Piotrowski Mar 02 '23 at 10:30