背景
以下で言及されているので、実際にやってみたかった。
確認方法
dtrace 可能な ls コマンドを用意する
On all current MacOS versions (Catalina 10.15.x, Big Sur 11.x) System Integrity Protection (SIP) is enabled by default and prevents most uses of dtrace and other tools and scripts based on it (i.e. dtruss).
SIP only blocks tracing of system executables that ship with MacOS (i.e. executables that live in paths like /bin , /System, etc). Which means dtrace works for all non-system executables (like your own app).
But what about system executables? Let’s say we wanted to trace all syscalls made by the /bin/ls utility, we could make a copy of it and remove the code signing signature.
$ mkdir test && cd test
$ cp /bin/ls ./
$ sudo codesign --remove-signature ./ls
$ codesign -dv ./ls #verify
./ls: code object is not signed at all
ref. Using dtrace on MacOS with SIP enabled
dtruss を使い、実際に確認する
$ sudo dtruss ./ls
dtrace: system integrity protection is on, some features will not be available
SYSCALL(args) = return
file1.rb file2.rb
munmap(0x1133C4000, 0x98000) = 0 0
munmap(0x11345C000, 0x8000) = 0 0
munmap(0x113464000, 0x4000) = 0 0
munmap(0x113468000, 0x4000) = 0 0
munmap(0x11346C000, 0x50000) = 0 0
open(".\0", 0x100000, 0x0) = 3 0
fcntl(0x3, 0x32, 0x7FF7B3B8D2A0) = 0 0
close(0x3) = 0 0
fsgetpath(0x7FF7B3B8D2B0, 0x400, 0x7FF7B3B8D298) = 32 0
fsgetpath(0x7FF7B3B8D2B0, 0x400, 0x7FF7B3B8D298) = 14 0
csrctl(0x0, 0x7FF7B3B8D6BC, 0x4) = -1 1
__mac_syscall(0x7FF80046108A, 0x2, 0x7FF7B3B8D5E0) = 0 0
csrctl(0x0, 0x7FF7B3B8D6CC, 0x4) = -1 1
__mac_syscall(0x7FF80045E437, 0x5A, 0x7FF7B3B8D660) = 0 0
dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28
dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28
dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28
dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28
open("/\0", 0x20100000, 0x0) = 3 0
openat(0x3, "System/Cryptexes/OS\0", 0x100000, 0x0) = 4 0
dup(0x4, 0x0, 0x0) = 5 0
fstatat64(0x4, 0x7FF7B3B8C401, 0x7FF7B3B8C800) = 0 0
openat(0x4, "System/Library/dyld/\0", 0x100000, 0x0) = 6 0
fcntl(0x6, 0x32, 0x7FF7B3B8C490) = 0 0
dup(0x6, 0x0, 0x0) = 7 0
dup(0x5, 0x0, 0x0) = 8 0
close(0x3) = 0 0
close(0x5) = 0 0
close(0x4) = 0 0
close(0x6) = 0 0
shared_region_check_np(0x7FF7B3B8CD88, 0x0, 0x0) = 0 0
fsgetpath(0x7FF7B3B8D2E0, 0x400, 0x7FF7B3B8D218) = 83 0
fcntl(0x8, 0x32, 0x7FF7B3B8D2E0) = 0 0
close(0x8) = 0 0
close(0x7) = 0 0
getfsstat64(0x0, 0x0, 0x2) = 7 0
getfsstat64(0x10C388090, 0x3B48, 0x2) = 7 0
getattrlist("/\0", 0x7FF7B3B8D5F0, 0x7FF7B3B8D5B0) = 0 0
fsgetpath(0x7FF7B3B8D240, 0x400, 0x7FF7B3B8D228) = 83 0
stat64("/System/Volumes/Preboot/Cryptexes/OS/System/Library/dyld/dyld_shared_cache_x86_64h\0", 0x7FF7B3B8D6A8, 0x0) = 0 0
stat64("/Users/daiki-kudo/repos/test/ls\0", 0x7FF7B3B8C9E0, 0x0) = 0 0
open("/Users/daiki-kudo/repos/test/ls\0", 0x0, 0x0) = 3 0
mmap(0x0, 0x25150, 0x1, 0x40002, 0x3, 0x0) = 0x10C406000 0
fcntl(0x3, 0x32, 0x7FF7B3B8CAF0) = 0 0
close(0x3) = 0 0
munmap(0x10C406000, 0x25150) = 0 0
stat64("/Users/daiki-kudo/repos/test/ls\0", 0x7FF7B3B8CF40, 0x0) = 0 0
stat64("/usr/lib/libutil.dylib\0", 0x7FF7B3B8BF90, 0x0) = -1 2
stat64("/System/Volumes/Preboot/Cryptexes/OS/usr/lib/libutil.dylib\0", 0x7FF7B3B8BF40, 0x0) = -1 2
stat64("/usr/lib/system/libdispatch.dylib\0", 0x7FF7B3B89B80, 0x0) = -1 2
stat64("/System/Volumes/Preboot/Cryptexes/OS/usr/lib/system/libdispatch.dylib\0", 0x7FF7B3B89B30, 0x0) = -1 2
stat64("/usr/lib/system/libdispatch.dylib\0", 0x7FF7B3B89B80, 0x0) = -1 2
stat64("/usr/lib/libncurses.5.4.dylib\0", 0x7FF7B3B8BF90, 0x0) = -1 2
stat64("/System/Volumes/Preboot/Cryptexes/OS/usr/lib/libncurses.5.4.dylib\0", 0x7FF7B3B8BF40, 0x0) = -1 2
stat64("/usr/lib/libSystem.B.dylib\0", 0x7FF7B3B8BF90, 0x0) = -1 2
stat64("/System/Volumes/Preboot/Cryptexes/OS/usr/lib/libSystem.B.dylib\0", 0x7FF7B3B8BF40, 0x0) = -1 2
open("/dev/dtracehelper\0", 0x2, 0x0) = 3 0
ioctl(0x3, 0x80086804, 0x7FF7B3B8BB68) = 0 0
close(0x3) = 0 0
shared_region_check_np(0xFFFFFFFFFFFFFFFF, 0x0, 0x0) = 0 0
access("/AppleInternal/XBS/.isChrooted\0", 0x0, 0x0) = -1 2
bsdthread_register(0x7FF800703C6C, 0x7FF800703C58, 0x2000) = 1073742303 0
shm_open(0x7FF8005CFF5A, 0x0, 0x5CE447) = 3 0
fstat64(0x3, 0x7FF7B3B8BE20, 0x0) = 0 0
mmap(0x0, 0x2000, 0x1, 0x40001, 0x3, 0x0) = 0x10C408000 0
close(0x3) = 0 0
ioctl(0x2, 0x4004667A, 0x7FF7B3B8BED4) = 0 0
mprotect(0x10C40F000, 0x1000, 0x0) = 0 0
mprotect(0x10C419000, 0x1000, 0x0) = 0 0
mprotect(0x10C41A000, 0x1000, 0x0) = 0 0
mprotect(0x10C424000, 0x1000, 0x0) = 0 0
mprotect(0x10C40A000, 0x98, 0x1) = 0 0
mprotect(0x10C40A000, 0x98, 0x3) = 0 0
mprotect(0x10C40A000, 0x98, 0x1) = 0 0
mprotect(0x10C425000, 0x1000, 0x1) = 0 0
mprotect(0x10C426000, 0x98, 0x1) = 0 0
mprotect(0x10C426000, 0x98, 0x3) = 0 0
mprotect(0x10C426000, 0x98, 0x1) = 0 0
mprotect(0x10C40A000, 0x98, 0x3) = 0 0
mprotect(0x10C40A000, 0x98, 0x1) = 0 0
mprotect(0x10C425000, 0x1000, 0x3) = 0 0
mprotect(0x10C425000, 0x1000, 0x1) = 0 0
issetugid(0x0, 0x0, 0x0) = 0 0
getentropy(0x7FF7B3B8B960, 0x20, 0x0) = 0 0
getpid(0x0, 0x0, 0x0) = 35074 0
csops_audittoken(0x8902, 0x10, 0x7FF7B3B8BF90) = -1 22
proc_info(0x2, 0x8902, 0xD) = 64 0
csops_audittoken(0x8902, 0x10, 0x7FF7B3B8C010) = -1 22
dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28
dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28
csops(0x8902, 0x0, 0x7FF7B3B8C474) = 0 0
mprotect(0x10C386000, 0x40000, 0x1) = 0 0
open_nocancel("/usr/share/locale/UTF-8/LC_CTYPE\0", 0x0, 0x0) = 3 0
fcntl_nocancel(0x3, 0x3, 0x0) = 0 0
getrlimit(0x1008, 0x7FF7B3B8CAC0, 0x0) = 0 0
fstat64(0x3, 0x7FF7B3B8CB38, 0x0) = 0 0
fstat64(0x3, 0x7FF7B3B8C938, 0x0) = 0 0
lseek(0x3, 0x0, 0x1) = 0 0
lseek(0x3, 0x0, 0x0) = 0 0
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
dtrace: error on enabled probe ID 1714 (ID 959: syscall::read_nocancel:return): invalid kernel access in action #12 at DIF offset 68
close_nocancel(0x3) = 0 0
ioctl(0x1, 0x4004667A, 0x7FF7B3B8D094) = 0 0
ioctl(0x1, 0x40087468, 0x7FF7B3B8D710) = 0 0
getuid(0x0, 0x0, 0x0) = 0 0
fstatat64(0xFFFFFFFFFFFFFFFE, 0x600001DD0068, 0x7FF7B3B8CF98) = 0 0
open_nocancel(".\0", 0x1000000, 0x0) = 3 0
fchdir(0x3, 0x0, 0x0) = 0 0
open_nocancel(".\0", 0x1000000, 0x0) = 4 0
open_nocancel(".\0", 0x1100004, 0x0) = 5 0
getattrlistbulk(0x5, 0x7FF7B3B8CFE8, 0x7FA67080A000) = 7 0
getattrlistbulk(0x5, 0x7FF7B3B8CFE8, 0x7FA67080A000) = 0 0
close_nocancel(0x5) = 0 0
fchdir(0x4, 0x0, 0x0) = 0 0
close_nocancel(0x4) = 0 0
fstat64(0x1, 0x7FF7B3B8C828, 0x0) = 0 0
ioctl(0x1, 0x4004667A, 0x7FF7B3B8C874) = 0 0
dtrace: error on enabled probe ID 1712 (ID 961: syscall::write_nocancel:return): invalid kernel access in action #12 at DIF offset 68
fchdir(0x3, 0x0, 0x0) = 0 0
close_nocancel(0x3) = 0 0
ところどころ dtrace: error on enabled probe ID 1741 (ID 571: syscall::sysctl:return): invalid kernel access in action #10 at DIF offset 28という形式のエラーメッセージがでている。
Ref
以下のページでは、dtrace コマンドの詳細を説明してくれている。最初に読んで理解を深めた。