How to trace system calls of a program in Mac OS X?

Question

I wanted to trace the system calls made by the find command to debug some performance issues however I could not figure out how to do this on Mac OS X Yosemite. How can I trace system calls for an arbitrary program similarly to what strace does on FreeBSD? I am especially interested in tracing file-system related calls.

A quick search for *strace osx* gave me [this four year old blog post](https://opensourcehacker.com/2011/12/02/osx-strace-equivalent-dtruss-seeing-inside-applications-what-they-do-and-why-they-hang/). It should be easy to find other alternatives using the same search. — Some programmer dude, Jun 25 '15 at 08:54
@JoachimPileborg Nice point. I went another way, starting with *apropos trace* and searching from that. I overlooked *dtruss* and *dtrace* because all outcomes I have found were about a trace utility for the *D* language. — Michaël Le Barbier, Jun 25 '15 at 09:16
Just a note, FreeBSD ships with [truss(1)](https://www.freebsd.org/cgi/man.cgi?query=truss&manpath=FreeBSD+12.2-RELEASE+and+Ports), not strace. — Mateusz Piotrowski, Dec 11 '20 at 14:18

score 87 · Answer 1 · edited Dec 15 '21 at 19:57

87

Under current versions of macOS, executables under paths covered by SIP (like /usr/bin) cannot be traced.

You can bypass this by making a copy of the executable in your home directory and tracing the copy:

cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …

You needed to remove the code signature from the new find executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).

edited Dec 15 '21 at 19:57

Brian Peterson

2,835
5
27
33

answered Oct 17 '17 at 20:53

In my case after copying of the executable the bug that I wanted to debug stopped happening ..( – Nakilon Oct 20 '17 at 08:14
2

Probably my bug is really SIP-related so that's a success too. – Nakilon Oct 21 '17 at 03:13
23

Not working on macOS 10.15.4. Had to execute `codesign --remove-signature ./find` first. – Anmol Singh Jaggi Jun 10 '20 at 11:28

score 80 · Accepted Answer · edited Jun 25 '15 at 10:31

80

You can use dtruss like in

sudo dtruss find ~/repo -depth 2 -type d -name '.git'

The manual page of that utility will help you to tailor the use of the tool to your needs.

edited Jun 25 '15 at 10:31

Michaël Le Barbier

5,645
4
27
56

answered Jun 25 '15 at 08:54

jspcal

49,231
7
69
74

25

dtruss did work then (June '15) but was broken by the System Integrity Protection regime of El Capitan. – Olsonist Feb 25 '17 at 22:09
3

@Olsonist Same issue with dtrace: `the current security restriction (rootless enabled) prevent dtrace from attaching to an executable not signed with the [com.apple.security.get-task-allow] entitlement` – Nakilon Oct 17 '17 at 02:52
5

It is possible to disable SIP https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html – mttrb Oct 17 '17 at 02:55
2

Also see https://stackoverflow.com/questions/33476432/is-there-a-workaround-for-dtrace-cannot-control-executables-signed-with-restri – mttrb Oct 17 '17 at 02:56
Adding a real example is helpful for testing, thanks. – Brian Peterson Dec 15 '21 at 20:01

How to trace system calls of a program in Mac OS X?

2 Answers2

Linked