System Integrity Protection (often shortened to SIP, internally known as CSR and originally rootless) is a set of related macOS security features that protect certain sensitive system functionality, so that only appropriately entitled processes can use them. It was introduced in OS X El Capitan.
The protections apply even for the root user, thereby protecting the operating system from social engineering attacks that can be carried out by tricking a user with admin privileges to type their password.
csrutil
The level of System Integrity Protection is configurable by the user in recoveryOS through the csrutil
tool in Terminal. As of macOS Ventura, its help output is the following:
usage: csrutil <command>
Modify the System Integrity Protection configuration.
Available commands:
clear
Clear the existing configuration.
disable
Disable the protection of the OS installation. Only available in Recovery OS.
enable
Enable the protection of the OS installation. Only available in Recovery OS.
status
In Recovery OS, displays the configuration for each OS installation.
In macOS, displays the configuration of the running OS.
authenticated-root
status
Show the current authenticated root setting.
disable
Allow booting from non-sealed system snapshots. Only available in Recovery OS.
enable
Only allow booting from sealed system snapshots. Only available in Recovery OS.
csurtil has undocumented flags that allow SIP to be partially enabled. The --without
flags can be combined.
Command | Effect |
---|---|
csrutil enable --without debug
|
Processes without the get-task-allow entitlement can be attached to by debuggers
|
csrutil enable --without dtrace
|
macOS system processes can be traced by DTrace |
csrutil enable --without fs
|
SIP-protected file paths can be read and written by non-entitled processes |
csrutil enable --without kext
|
Unsigned kernel extensions are loaded |
csrutil enable --without nvram
|
SIP-protected NVRAM variables can be read and written |
There is some risk to the rest of SIP being disabled when using any of these flags, as each of these allow SIP to be fully bypassed in some way.
Configuration
On Intel Macs, SIP configuration is stored in an NVRAM variable named csr-active-config
and used by all installations of macOS, while on Apple Silicon Macs, it is stored in the device tree under lp-sip0
for the specific installation that recoveryOS is tied to.[1] It is a bitmask of the following fields:[2]
#define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID (1 << 2)
#define CSR_ALLOW_KERNEL_DEBUGGER (1 << 3)
#define CSR_ALLOW_APPLE_INTERNAL (1 << 4)
#define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6)
#define CSR_ALLOW_DEVICE_CONFIGURATION (1 << 7)
#define CSR_ALLOW_ANY_RECOVERY_OS (1 << 8)
#define CSR_ALLOW_UNAPPROVED_KEXTS (1 << 9)
#define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (1 << 10)
#define CSR_ALLOW_UNAUTHENTICATED_ROOT (1 << 11)