Search code examples
macoslldb

macos use of lldb fails with attach denial message


Sonoma 14.5, M3. lldb-1500.0.404.7, Apple Swift version 5.10 (swiftlang-5.10.0.13 clang-1500.3.9.4). (I am an ancient linux user.)

I want to run (someone else's) app program in the debugger. For some unexplained reason, on one of my computers, this program simply closes after 2 seconds. This used to be easy on linux: # sudo gdb program and then type run. perhaps insert a breakpoint at _exit. this is really all I want to do.

I do not understand how this is supposed to work on macos. Let me try to do this with Brett Tepstra's excellent "Marked 2" viewer.

$ sudo lldb /Applications/Marked\ 2.app/Contents/MacOS/Marked\ 2 
(lldb) target create "/Applications/Marked 2.app/Contents/MacOS/Marked 2"
Current executable set to '/Applications/Marked 2.app/Contents/MacOS/Marked 2' (arm64).

$ sudo lldb /Application/Application-Name.app/Contents/MacOS/Application-Name

a lot of symbols seem to be loaded, and then I get the next prompt.

(lldb) target create "/Applications/Marked 2.app/Contents/MacOS/Marked 2"
Current executable set to '/Applications/Marked 2.app/Contents/MacOS/Marked 2' (arm64).
(lldb) run
error: process exited with status -1 (attach failed (Not allowed to attach to process.  Look in the console messages (Console.app), near the debugserver entries, when the attach failed.  The subsystem that denied the attach permission will likely have logged an informative message about why it was denied.))

I love clear error message. This isn't one of them.

OK, I open Console.app. There are a whole lot of different things that show up in the console, but debugserver is not one of them. And searching for debugserver (or lldb or Marked) in its right top search field doesn't bring up anything either.

  • how do I run an app in the debugger and see it either fail or complete?

  • is it possible to tell lldb to behave like the ancient gdb. I just want to gdb to run an executable I supply.


Solution

  • The ability to debug an app is an opt-in entitlement that has to be asserted in the binary for the debugger to be allowed to attach. There's a long discussion of that here:

    What does get-task-allow do in Xcode?

    For apps you are working on directly, you can either rely on Xcode to add the right entitlement to your Debug builds, or add it directly yourself using the codesign tool. But if the app comes from a third party, you will either need to get a build with the right entitlements from them, or disable this part of the System Integrity Protections that guards this.

    This developer forum thread shows how to disable this part of SIP if you want your machine to allow debugging more permissively:

    https://forums.developer.apple.com/forums/thread/17452