How to trace system calls of a program in Mac OS X?
Under current versions of macOS, executables under paths covered by SIP (like /usr/bin
) cannot be traced.
You can bypass this by making a copy of the executable in your home directory and tracing the copy:
cp /usr/bin/find find
codesign --remove-signature ./find
sudo dtruss ./find …
You needed to remove the code signature from the new find
executable, otherwise SIP still notices that a system file is being accessed (credit: @Anmol Singh Jaggi).
You can use dtruss like in
sudo dtruss find ~/repo -depth 2 -type d -name '.git'
The manual page of that utility will help you to tailor the use of the tool to your needs.