Prashant's Log
Dtruss is the shell script which is wrapped around the Dtrace system call. Dtruss can give us the precise details for tracking the system calls for the executable programs in MacOS in a nice text format. It is "supposedly" better than the Strace in other Unix systems. Please see this link Strace and Dtrace
Now comes the new security feature that MacOs has introduced called "System Integrity Protection" aka "SIP". Read more about SIP. Essentially what it does is It introduced extra layer of security in system folders such as /usr,/bin,/sbin etc in a way that even root programs can not modify the contents. Thus called rootless mode.
Now, Dtruss is a root mode program. After OS X El Capitan, If we want to trace the system calls we have two options.
- Disable SIP (Completely or Partially)
- Run Dtruss in unprotected directories
Let me go through both of these approaches one by one. I will discuss merits and demerits of both in following sections.
- Disable completely
( Caution could be dangerous at least that is what apple is saying) The process itself is not very complected, but the only problem is we can't automate this process.
- Restart Your Mac Computer.
- On OS X starts up, hold down Command-R and keep it held down until you see an Apple icon and a progress bar. Release. This boots you into Recovery.
- From the Utilities menu, select Terminal.
- At the prompt type exactly the following and then press Return:
$ csrutil disable - Terminal should display a message that SIP was disabled.
- Restart the OS X.
Now, you might have noticed that we need to boot the computer into the recovery mode. That is the process we can't automate using shell script.
- Disable SIP partially The process is essentially the same. But we can specifically disable SIP for Dtrace only. All the other components will be safe. Steps are as follows.
- Restart Your Mac Computer.
- On OS X starts up, hold down Command-R and keep it held down until you see an Apple icon and a progress bar. Release. This boots you into Recovery.
- From the Utilities menu, select Terminal.
- At the prompt type exactly the following and then press Return:
$ csrutil enable --without dtrace - Terminal should display a message that SIP was disabled.
- Restart the OS X.
Again the problem remains same. We can not automate the process. User has follow all the steps manually in order to run Dtruss on his\her system. Even if we can somehow automate the process we need to give the document to user explaining complete procedure and explain all the "potential risk" that they are taking.
I read the apple docs for Drtuss and Dtrace, nothing seems to come up which can help us in the regard. May be I am missing something. I am new to OS X, I have used it only once or twice. I can discuss it with Remi next week.
I have tried to use the Fakeroot from the following repository. As you can see on the github page of the repository.
It says OS X El Captian is not supported.
Besides above repo what I tried.
- Manually compiling the fakeroot from source and then running it.
- Installing
brew install dpkg[fakeroot comes with dpkg].
None of those seemed to be working as promised. Remi pointed out It might be because of SIP. I disabled SIP completely and then tried. No luck so far.
In order to trace calls we tried C code injection. I came across these resources which got me started.
I tried both the approaches, in the first one the code compilation issue was daunting. it needed specific architecture to work on. In the second approach I wrote a small C program which overrides these functions
- open
- read
- fopen
The problem remains same, if I inject libraries after disabling SIP, it works otherwise it won't work. Except we copy the binaries from system directories to local directories and then inject libs. I am working on other approach which remi told me to take a look at Binary Run.