System Integrity Protection

From The Apple Wiki
Not to be confused with rootless jailbreaks.

System Integrity Protection (often shortened to SIP, internally known as CSR and originally rootless) is a set of related macOS security features that protect certain sensitive system functionality, so that only appropriately entitled processes can use them. It was introduced in OS X El Capitan.

The protections apply even for the root user, thereby protecting the operating system from social engineering attacks that can be carried out by tricking a user with admin privileges to type their password.

csrutil

The level of System Integrity Protection is configurable by the user in recoveryOS through the csrutil tool in Terminal. As of macOS Ventura, its help output is the following: 

usage: csrutil <command>
Modify the System Integrity Protection configuration.
Available commands:

    clear
        Clear the existing configuration.
    disable
        Disable the protection of the OS installation. Only available in Recovery OS.
    enable
        Enable the protection of the OS installation. Only available in Recovery OS.
    status
        In Recovery OS, displays the configuration for each OS installation.
        In macOS, displays the configuration of the running OS.

    authenticated-root
        status
            Show the current authenticated root setting.
        disable
            Allow booting from non-sealed system snapshots. Only available in Recovery OS.
        enable
            Only allow booting from sealed system snapshots. Only available in Recovery OS.

csurtil has undocumented flags that allow SIP to be partially enabled. The --without flags can be combined.

Command Effect
csrutil enable --without debug Processes without the get-task-allow entitlement can be attached to by debuggers
csrutil enable --without dtrace macOS system processes can be traced by DTrace
csrutil enable --without fs SIP-protected file paths can be read and written by non-entitled processes
csrutil enable --without kext Unsigned kernel extensions are loaded
csrutil enable --without nvram SIP-protected NVRAM variables can be read and written

There is some risk to the rest of SIP being disabled when using any of these flags, as each of these allow SIP to be fully bypassed in some way.

Configuration

On Intel Macs, SIP configuration is stored in an NVRAM variable named csr-active-config and used by all installations of macOS, while on Apple Silicon Macs, it is stored in the device tree under lp-sip0 for the specific installation that recoveryOS is tied to.[1] It is a bitmask of the following fields:[2] 

#define CSR_ALLOW_UNTRUSTED_KEXTS               (1 << 0)
#define CSR_ALLOW_UNRESTRICTED_FS               (1 << 1)
#define CSR_ALLOW_TASK_FOR_PID                  (1 << 2)
#define CSR_ALLOW_KERNEL_DEBUGGER               (1 << 3)
#define CSR_ALLOW_APPLE_INTERNAL                (1 << 4)
#define CSR_ALLOW_UNRESTRICTED_DTRACE           (1 << 5)
#define CSR_ALLOW_UNRESTRICTED_NVRAM            (1 << 6)
#define CSR_ALLOW_DEVICE_CONFIGURATION          (1 << 7)
#define CSR_ALLOW_ANY_RECOVERY_OS               (1 << 8)
#define CSR_ALLOW_UNAPPROVED_KEXTS              (1 << 9)
#define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE    (1 << 10)
#define CSR_ALLOW_UNAUTHENTICATED_ROOT          (1 << 11)

External Links

References

  1. ^ https://khronokernel.github.io/macos/2022/12/09/SIP.html
  2. ^ https://github.com/apple-oss-distributions/xnu/blob/xnu-8796.101.5/bsd/sys/csr.h#L42-L54
Retrieved from "https://theapplewiki.com/index.php?title=System_Integrity_Protection&oldid=179654"