[macOS] task_for_pid failing with `0x5`

microsoft / clrmd

Microsoft.Diagnostics.Runtime is a set of APIs for introspecting processes and dumps.

MIT License

1.06k stars 256 forks source link

[macOS] task_for_pid failing with `0x5` #1034

Open adamsitnik opened 2 years ago

adamsitnik commented 2 years ago

I've ported BenchmarkDotNet from ClrMd v1 to v2 hoping that it's going to give us macOS support (https://github.com/dotnet/BenchmarkDotNet/issues/1499).

When I try to attach to the process using DataTarget.AttachToProcess I am getting following error:

task_for_pid failed with status code 0x5

I googled a bit and it seems that I need to sign the app to be able to use this API and also run as root?

Is that true (the first article is from 2010)? Is there no easier way to get it working?

cc @leculver @nxtn @mfilippov

mfilippov commented 2 years ago

@adamsitnik You also need to have entitlement: com.apple.security.get-task-allow

mfilippov commented 2 years ago

Usually dotnet had this entitlements:

codesign -d --entitlements - /usr/local/share/dotnet/dotnet 
Executable=/usr/local/share/dotnet/dotnet
[Dict]
    [Key] com.apple.security.cs.allow-dyld-environment-variables
    [Value]
        [Bool] true
    [Key] com.apple.security.cs.allow-jit
    [Value]
        [Bool] true
    [Key] com.apple.security.cs.debugger
    [Value]
        [Bool] true
    [Key] com.apple.security.cs.disable-library-validation
    [Value]
        [Bool] true
    [Key] com.apple.security.get-task-allow
    [Value]
        [Bool] true

leculver commented 2 years ago

@mikem8361 Knows more about this than I do. Mike, do you know what permissions/entitlements/etc are needed to attach to a process with task_for_pid?

We are at the mercy of whatever Apple requires here. I should probably update the documentation with what we find here. I'm not an OS X expert though.

mikem8361 commented 2 years ago

As far as I know, as long as the host (/usr/local/share/dotnet/dotnet) that is running clrmd has the com.apple.security.cs.debugger entitlement and the target app's host (assuming dotnet) has the com.apple.security.get-task-allow then it should work without being supervisor. Try running the clrmd "side" (the code calling task_for_pid) under sudo.

NinoFloris commented 1 year ago

It would be really helpful if we can get macOS supported. @adamsitnik with some pointers I could work on it. It looks like at the moment it's even gated behind ShouldUseClrMdDisassembler not passing for macOS?

adamsitnik commented 1 year ago

It looks like at the moment it's even gated behind ShouldUseClrMdDisassembler not passing for macOS?

That is correct, I wanted to display a nice error to the users.

nsky99 commented 3 days ago

I have also encountered the same problem. May I ask if your issue has been resolved? I tried to disable Apple's SIP protection and sudo could be called normally, but it cannot be called normally in SIP enabled mode. task_for_pid returned 5