Basic tracing does not appear to work on macOS Monterey Version 12.5.1

jacereda / fsatrace

Filesystem access tracer

ISC License

81 stars 12 forks source link

Basic tracing does not appear to work on macOS Monterey Version 12.5.1 #49

Open mdittmer opened 2 years ago

mdittmer commented 2 years ago

I tried what I thought would be the simplest possible example trace on Mac (with SIP turned off; see below), but I only saw a read of the binary I used, not any read/write events associated with the arguments.

 $ csrutil status
System Integrity Protection status: disabled.
 $ cd $(mktemp -d)
 $ touch test_file
 $ fsatrace vrwmd - -- cp test_file test_file.copy
argv[0]=cp
argv[1]=test_file
argv[2]=test_file.copy
r|/bin/cp
 $

jacereda commented 2 years ago

Hi,

IIRC macOS doesn't allow intercepting system binaries. Try copying the cp binary to /tmp/ and run that one instead. At some point there was a horrible workaround in Shake:

https://github.com/ndmitchell/shake/pull/448/files

mdittmer commented 2 years ago

This does not appear to be related to the location of the binary:

 $ csrutil status
System Integrity Protection status: disabled.
 $ cd $(mktemp -d)
 $ touch test_file
 $ cp /bin/cp ./cp
 $ fsatrace vrwmd - -- ./cp test_file test_file.copy
argv[0]=./cp
argv[1]=test_file
argv[2]=test_file.copy
r|/path/to/tmp/dir/cp
 $ ls
cp      test_file   test_file.copy
 $

jacereda commented 2 years ago

In that case, they probably added some other function to libc that isn't intercepted, the output of nm for libSystem (or whatever has the open wrappers, IIRC they splitted libSystem at some point) might help figuring out the cause.