Ticket #5777: Procapi flooding Mac OS system log due to SIP

We have a report from htcondor-users that the condor_procd on Mac OS X El Capitan swamps the system log with errors about denying attempted operations. We believe this is due to procapi calling task_for_pid() on every process in the system to get memory and cpu usage. This call is not allowed for processes protected by SIP (System Integrity Protection). The user also reports reboots and process freezes that may be related.

HTCondor can be more intelligent about this. It doesn't need to collect cpu/memory usage on processes that it doesn't manage. If we can identify processes protected by SIP and avoid calling task_for_pid() on them, I believe that would fix this problem.

[Append remarks]

Remarks:

2016-Jul-07 15:12:07 by jfrey:
This was reported by kkauder@gmail.com on June 23, 2016. The email subject line was 'El Capitan and Sandbox'. Post a followup on htcondor-users when we have a fix ready.

2016-Jul-15 11:29:37 by jfrey:
This is a bit more complicated than I thought. All executables in /bin and /usr/bin are protected by SIP, thus all instances of them are protected, no matter what user they're running as. So a user job started by HTCondor that's a shell script can't be queried.

2016-Jul-22 16:26:22 by jfrey:
The function proc_pid_rusage() does what we need. It allows you to query user and system cpu time and memory usage for a given process, including those protected by SIP. But it was added in Mac OS X 10.9. So we'll need to drop support for older versions or do a fallback.

2016-Sep-28 13:53:00 by tim:
CODE REVIEW: I approve this change. (I had one question as to how the units were determined. Jaime did it empirically (by measurement)).
[Append remarks]

Properties:

Type: defect           Last Change: 2016-Sep-28 13:53
Status: resolved          Created: 2016-Jul-07 15:10
Fixed Version: v080409           Broken Version: v080400 
Priority:          Subsystem: DaemonProcD 
Assigned To: jfrey           Derived From:  
Creator: jfrey  Rust:  
Customer Group: users  Visibility: public 
Notify: tannenba@cs.wisc.edu,tim@cs.wisc.edu  Due Date:  

Related Check-ins:

2016-Aug-01 16:16   Check-in [48918]: Docs for Mac cpu/memory monitoring improvements. #5777 (By Jaime Frey )
2016-Aug-01 16:10   Check-in [48917]: Use proc_pid_rusage() on mac for procapi, where available. #5777 task_for_pid() is unreliable for obtaining memory and cpu usage of processes, more so in Mac OS 10.11 and above. SIP means it fails for processes based on system binaries, while spewing errors to the system logs. Mac OS 10.9 introduced [...] (By Jaime Frey )