Apple - Now that El Capitan is "rootless", is there any way to get dtrace working?
System Integrity Protection in 10.11 can be disabled, though it's not something you should do lightly.
You can disable SIP entirely by doing the following:
- Reboot your mac
- Hold ⌘R during reboot
- From the Utilities menu, run Terminal
- Enter the following command
Alternatively you can re-enable SIP while still allowing
dtrace to work by also running the following:
csrutil enable --without dtrace
Note, that when doing so you'll get the following warning:
This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
Once you reboot,
dtrace will work as it did in Yosemite.
Copy the binary to a directory that is not "restricted", for example,
csrutil disable does not work for dtruss to some degree. But as @J.J said
chroot works, this inspired me.
Still I don't know why this works. It may have something to do with the "protected directories", I guess.
Here is the test:
CC@~ $ csrutil status System Integrity Protection status: disabled. CC@~ $ sudo dtruss /bin/echo dtrace: failed to execute /bin/echo: dtrace cannot control executables signed with restricted entitlements CC@~ $ cp /bin/echo /tmp CC@~ $ sudo dtruss /tmp/echo SYSCALL(args) = return thread_selfid(0x0, 0x0, 0x0) = 46811 0 csops(0x0, 0x0, 0x7FFF51B6CA20) = 0 0 issetugid(0x0, 0x0, 0x7FFF51B6CA20) = 0 0 shared_region_check_np(0x7FFF51B6A918, 0x0, 0x7FFF51B6CA20) = 0 0 stat64("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0x7FFF51B6BEA8, 0x7FFF51B6CA20 = 0 0