Basic tracing does not appear to work on macOS Monterey Version 12.5.1

jacereda / fsatrace

Filesystem access tracer

ISC License

78 stars 12 forks source link

Basic tracing does not appear to work on macOS Monterey Version 12.5.1 #49

Open mdittmer opened 1 year ago

mdittmer commented 1 year ago

I tried what I thought would be the simplest possible example trace on Mac (with SIP turned off; see below), but I only saw a read of the binary I used, not any read/write events associated with the arguments.

 $ csrutil status
System Integrity Protection status: disabled.
 $ cd $(mktemp -d)
 $ touch test_file
 $ fsatrace vrwmd - -- cp test_file test_file.copy
argv[0]=cp
argv[1]=test_file
argv[2]=test_file.copy
r|/bin/cp
 $

jacereda commented 1 year ago

Hi,

IIRC macOS doesn't allow intercepting system binaries. Try copying the cp binary to /tmp/ and run that one instead. At some point there was a horrible workaround in Shake:

https://github.com/ndmitchell/shake/pull/448/files

mdittmer commented 1 year ago

This does not appear to be related to the location of the binary:

 $ csrutil status
System Integrity Protection status: disabled.
 $ cd $(mktemp -d)
 $ touch test_file
 $ cp /bin/cp ./cp
 $ fsatrace vrwmd - -- ./cp test_file test_file.copy
argv[0]=./cp
argv[1]=test_file
argv[2]=test_file.copy
r|/path/to/tmp/dir/cp
 $ ls
cp      test_file   test_file.copy
 $

jacereda commented 1 year ago

In that case, they probably added some other function to libc that isn't intercepted, the output of nm for libSystem (or whatever has the open wrappers, IIRC they splitted libSystem at some point) might help figuring out the cause.