Basic tracing does not appear to work on macOS Monterey Version 12.5.1

[mdittmer]

I tried what I thought would be the simplest possible example trace on Mac (with SIP turned off; see below), but I only saw a read of the binary I used, not any read/write events associated with the arguments.

 $ csrutil status
System Integrity Protection status: disabled.
 $ cd $(mktemp -d)
 $ touch test_file
 $ fsatrace vrwmd - -- cp test_file test_file.copy
argv[0]=cp
argv[1]=test_file
argv[2]=test_file.copy
r|/bin/cp
 $ 

[jacereda]

Hi,

IIRC macOS doesn't allow intercepting system binaries. Try copying the cp binary to /tmp/ and run that one instead. At some point there was a horrible workaround in Shake:

https://github.com/ndmitchell/shake/pull/448/files

[mdittmer]

This does not appear to be related to the location of the binary:

 $ csrutil status
System Integrity Protection status: disabled.
 $ cd $(mktemp -d)
 $ touch test_file
 $ cp /bin/cp ./cp
 $ fsatrace vrwmd - -- ./cp test_file test_file.copy
argv[0]=./cp
argv[1]=test_file
argv[2]=test_file.copy
r|/path/to/tmp/dir/cp
 $ ls
cp		test_file	test_file.copy
 $ 

[jacereda]

In that case, they probably added some other function to libc that isn't intercepted, the output of nm for libSystem (or whatever has the open wrappers, IIRC they splitted libSystem at some point) might help figuring out the cause.