How to trace system calls of a program in Mac OS X? - macos

The bounty expires in 6 days. Answers to this question are eligible for a +50 reputation bounty.
Charlie Parker is looking for a more detailed answer to this question:
suggested answer didn't work, error:
Suggested accepted answer doesn't work for me. This is what I tried:
cd ~ cp /usr/bin/find find codesign --remove-signature ./find sudo dtruss ./find … error:
codesign --remove-signature ./find sudo dtruss ./find dtrace: system integrity protection is on, some features will not be available dtrace: failed to execute ./find: Could not create symbolicator for task
I wanted to trace the system calls made by the find command to debug some performance issues however I could not figure out how to do this on Mac OS X Yosemite. How can I trace system calls for an arbitrary program similarly to what strace does on FreeBSD? I am especially interested in tracing file-system related calls.
Suggested accepted answer doesn't work for me. This is what I tried:
cd ~
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …
error:
codesign --remove-signature ./find
sudo dtruss ./find
dtrace: system integrity protection is on, some features will not be available
dtrace: failed to execute ./find: Could not create symbolicator for task

Under current versions of macOS, executables under paths covered by SIP (like /usr/bin) cannot be traced.
You can bypass this by making a copy of the executable in your home directory and tracing the copy:
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …
You needed to remove the code signature from the new find executable, otherwise SIP still notices that a system file is being accessed (credit: #Anmol Singh Jaggi).

You can use dtruss like in
sudo dtruss find ~/repo -depth 2 -type d -name '.git'
The manual page of that utility will help you to tailor the use of the tool to your needs.

Related

Can't find nix-env or nix-build on MacOS Catalina

I can't find nix-env, nix-build, nix-shell etc. on MacOS Catalina.
I installed with:
sh <(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume
and was able to run them yesterday. I restarted my computer and can no longer find them. find / -name nix-env | grep nix-env shows nothing.
I tried installing again with the same command (sh <(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume) but this time it exists immediately with 0 status code.
I suspect I need to do something to mount a virtual drive.
You should follow Notes on the recommended approach.
It looks like the volume is not mounted (check /etc/fstab state with vifs as described in documentation).
Use the Disk Utility UI to remove the nix volume (sudo rm -rf /nix won't work).
Then run the script again and cross fingers your fingers this time: sh <(curl https://nixos.org/nix/install) --darwin-use-unencrypted-nix-store-volume
While Nix (amongst others) installs with bash newer MacOS do use zsh instead of bash.
So you need to update your .zshrc to source this command from bash, too.
In your terminal start editing with:
sudo nano ~/.zshrc
and add:
source ~/.nix-profile/etc/profile.d/nix.sh
Reload and test with
source ~/.zshrc; nix --version

Xcode Development Codesigning Issue

I recently transferred an app from one account to another. I can submit the app to the App Store and run it in the simulator. However, when I try to run it on my device I get this error:
CodeSign /Users/floydresler/Library/Developer/Xcode/DerivedData/App_for_Dark_Tower-egxiflrzexibnghkjwvtznkhigek/Build/Products/Debug-iphoneos/App\ for\ Dark\ Tower.app
cd "/Users/floydresler/Source Code/App for Dark Tower"
export CODESIGN_ALLOCATE=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/bin/codesign_allocate
export PATH="/Applications/Xcode.app/Contents/Developer/Platforms/iPhoneOS.platform/Developer/usr/bin:/Applications/Xcode.app/Contents/Developer/usr/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"
Signing Identity: "iPhone Developer: Floyd Resler (6UFPUB2SE5)"
Provisioning Profile: "Dark Tower Dev"
(31912d69-5ec4-4740-a696-81ea06d3f3fb)
/usr/bin/codesign --force --sign 4EA262133AD193D1EB339D5E39FC055053663735 --entitlements
/Users/floydresler/Library/Developer/Xcode/DerivedData/App_for_Dark_Tower-egxiflrzexibnghkjwvtznkhigek/Build/Intermediates/App\ for\ Dark\ Tower.build/Debug-iphoneos/App\ for\ Dark\ Tower.build/App\ for\ Dark\ Tower.app.xcent --timestamp=none
/Users/floydresler/Library/Developer/Xcode/DerivedData/App_for_Dark_Tower-egxiflrzexibnghkjwvtznkhigek/Build/Products/Debug-iphoneos/App\ for\ Dark\ Tower.app
/Users/floydresler/Library/Developer/Xcode/DerivedData/App_for_Dark_Tower-egxiflrzexibnghkjwvtznkhigek/Build/Products/Debug-iphoneos/App for Dark Tower.app: resource fork, Finder information, or similar detritus not allowed
Command /usr/bin/codesign failed with exit code 1
I have tried cleaning, deleting derived data, recreating the development provisioning profile and nothing works. What am I doing wrong>
A common cause of xcode CodeSign failing with "resource fork, Finder information, or similar detritus not allowed" is additional file attributes being set, often on PNG images.
*** Before proceeding back all your files up, twice, then again, never run batch commands on your project that you dont understand.
You can clean your PNGs with:
find /Users/You/Project -name "*png" -exec xattr -v -c '{}' \;
You can repeat this for all project files with:
find /Users/You/Project -exec xattr -v -c '{}' \;
You can choose just to run this on the built project rather than your source by running it on the directory listed with the error, eg If the error is:
/Users/me/Library/Developer/Xcode/DerivedData/Project-ervhbywkvwhcpnguqaezmqqsbiqe/Build/Products/Debug/My.app: resource fork, Finder information, or similar detritus not allowed
Run:
find /Users/me/Library/Developer/Xcode/DerivedData/Project-ervhbywkvwhcpnguqaezmqqsbiqe/Build/Products/Debug/My.app -exec xattr -v -c '{}' \;

How can I found out what system calls are used for system_profiler SPHardwareDataType

I am looking to find out what system calls (at least a one or two, not all of them obviously) are being used when using the following command in Mac OSX 10.11.3
system_profiler SPHardwareDataType
I'm just not sure how to find out about the system calls in relation to the command.
Thanks,
Jo
Based on the reference I gave in my earlier comment:
sudo dtruss system_profiler
dtruss runs your command and traces the system calls.
sudo runs the dtruss command with root priviledge (you need to be member of the sudoer group; may require you to enter your password).
You may pipe the output through grep to filter the output:
sudo dtruss system_profiler | grep <phrase you are looking for>
You can find detailed info on all these commands using:
man <cmd>
You can search the man pages for keywords:
man -k <keyword>

dtruss fails on ps on OS X 10.11

I was trying to see which syscall ps uses to get the command line of a process on OS X 10.11 (El Capitan), and ran into the following error:
# dtruss ps -p 43520 -o args
dtrace: failed to execute ps: dtrace cannot control executables signed with restricted entitlements
Googling resulted in the suggestion that making a copy of ps would allow me to bypass this, but that didn't work for me. Why can't I run dtruss on arbitrary binaries anymore, and is there any way for me to restore the old behavior?
The issue has to do with the code signature. If you make a copy and then re-sign it with your own identity (or, presumably, any non-Apple identity), then dtrace will attach to it just fine.
$ mkdir ~/temp
$ cp /bin/ps ~/temp/
$ codesign -f -s `whoami` ~/temp/ps
$ sudo dtruss ~/temp/ps -p 43520 -o args
cannot control executables signed with restricted entitlements
Security Integrity Protection ('rootless') is now preventing dtruss from operating here.
You can disable it by booting into Recovery mode, but it looks like dtrace has specifically been blocked regardless of the state of rootless, as can be seen in the source code if you search for "dtrace cannot control".
You can also see from the comments in Pcreate:
/*
* <rdar://problem/13969762>:
* If the process is signed with restricted entitlements, the libdtrace_dyld
* library will not be injected in the process. In this case we kill the
* process and report an error.
*/

How can I get status of make command in OS X?

I'm trying to compile tesseract-ocr on my Mac 10.9 but It gets stock at:
libtool: link: (cd ".libs" && rm -f "libtesseract.dylib" && ln -s "libtesseract.3.dylib" "libtesseract.dylib")
It really takes a long time and I don't know if it is doing anything useful so is there any way I can get status of it's progress or at leas see what it is doing?
here is the lisf of commands I run to get here:
svn checkout http://tesseract-ocr.googlecode.com/svn/trunk/ tesseract-ocr
cd tesseract-ocr
sh ./autogen.sh
./configure
make
By the way it takes my CPU activity very high that my MacBook fan is turned on. I'm also using iTerm as my shell.

Resources