Apple - Now that El Capitan is "rootless", is there any way to get dtrace working?

System Integrity Protection in 10.11 can be disabled, though it's not something you should do lightly.

You can disable SIP entirely by doing the following:

  1. Reboot your mac
  2. Hold ⌘R during reboot
  3. From the Utilities menu, run Terminal
  4. Enter the following command
csrutil disable

Alternatively you can re-enable SIP while still allowing dtrace to work by also running the following:

csrutil enable --without dtrace

Note, that when doing so you'll get the following warning:

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

Once you reboot, dtrace will work as it did in Yosemite.

Copy the binary to a directory that is not "restricted", for example, /tmp

csrutil disable does not work for dtruss to some degree. But as @J.J said chroot works, this inspired me.

Still I don't know why this works. It may have something to do with the "protected directories", I guess.

Here is the test:

CC@~ $ csrutil status
System Integrity Protection status: disabled.
CC@~ $ sudo dtruss /bin/echo
dtrace: failed to execute /bin/echo: dtrace cannot control executables signed with restricted entitlements
CC@~ $ cp /bin/echo /tmp
CC@~ $ sudo dtruss /tmp/echo

SYSCALL(args)        = return
thread_selfid(0x0, 0x0, 0x0)         = 46811 0
csops(0x0, 0x0, 0x7FFF51B6CA20)      = 0 0
issetugid(0x0, 0x0, 0x7FFF51B6CA20)      = 0 0
shared_region_check_np(0x7FFF51B6A918, 0x0, 0x7FFF51B6CA20)      = 0 0
stat64("/usr/lib/dtrace/libdtrace_dyld.dylib\0", 0x7FFF51B6BEA8, 0x7FFF51B6CA20      = 0 0