Error on enabled probe: syscall::open_nocancel:entry): invalid user access in action #2 at DIF

Question

I've the following one-liner to show files opened by process:

sudo dtrace -n 'syscall::open*:entry { printf("%s %s",execname,copyinstr(arg0)); }'

however I've plenty of repeated errors such as:

dtrace: error on enabled probe ID 4 (ID 946: syscall::open_nocancel:entry): invalid user access in action #2 at DIF offset 24

dtrace: error on enabled probe ID 7 (ID 160: syscall::open:entry): invalid user access in action #2 at DIF offset 24

I'm aware that I can suppress them by redirecting to 2> /dev/null.

What these errors means and why they're happening?

Is it dtrace fault, or some specific process causing that? And how this problem can be addressed?

I'm using OS X 10.11.2

Answer 1

This is potentially related to El Capitan and its System Integrity Protection (csrutil status) which can affect the dtrace behaviour.

The potential fix includes rebooting Mac into recovery mode (⌘-R at boot time), then in Terminal run:

csrutil enable --without dtrace

to keep SIP enabled, but disable DTrace restrictions (note: this is undocumented parameter).

Or disable SIP completely by:

csrutil disable # Not recommended.

See:

• What is the “rootless” feature in El Capitan, really? at Apple.SE
• How do I disable System Integrity Protection (SIP) on OS X?