MacOS System Integrity Protection Configuration

macosrootSecuritysip

I was looking to lock down the configuration on some macs, and wanted to know if there is any way to change the files and folders that SIP protects. I know it can be disabled, and its current rules viewed, but is there any way to add your own protected directories?

Thanks

Best Answer

It is possible to add your own protected directory to SIP:

Boot to Recovery Mode and disable SIP
Reboot and create a directory structure.

Flag the whole folder or single files or folders:

sudo chflags restricted /example
sudo chflags restricted /example/example.app
sudo chflags restricted /example/subdir/file

or a folder hierarchy:

sudo chflags -R restricted /example

If you want to exclude a subdir after using the -R option you have to remove the restricted flag there:

sudo chflags norestricted /example/subdir

Boot to Recovery Mode and enable SIP

Now the folders example, example.app and the file /example/subdir/file are protected. You still can add or remove files to/from /example/subdir.

The restricted flag has no effect if SIP is disabled - the usual POSIX/ACLs permissions apply. With SIP enabled the files/folders are protected.

It is also possible to add, remove or change SIP-protected files and directories via an installer package which is signed by Apple’s own certificate authority. Since a normal user /customer usually doesn't have access to this certificate authority, this possibility is eliminated.

An earlier version of this answer asserted that it is required to modify the file /System/Library/Sandbox/rootless.conf and add something like:

                                /example
                                /example/example.app
*                               /example/subdir
                                /example/subdir/file

This is wrong! Simply flagging a file or folder as restricted is sufficient to protect it.

Related Solutions

MacOS – How to disable System Integrity Protection (SIP) AKA “rootless” on macOs [OS X]

Apple's documentation covers disabling SIP, About System Integrity Protection on your Mac and Configuring System Integrity Protection.

An article on lifehacker.com lists these steps:

Reboot your Mac into Recovery Mode by restarting your computer and holding down Command+R until the Apple logo appears on your screen.

Click Utilities > Terminal.

In the Terminal window, type in csrutil disable and press Enter.

Restart your Mac.

You can verify whether a file or folder is restricted by issuing this ls command using the capital O (and not zero 0) to modify the long listing flag:

ls -lO /System /usr

Look for the restricted text to indicate where SIP is enforced.

By default (=SIP enabled), the following folders are restricted (see Apple Support page):

/System
/usr
/bin
/sbin
Apps that are pre-installed with OS X

... and the following folders are free:

/Applications
/Library
/usr/local

MacOS – Permanently Disabling System Integrity Protection

There should be no extra step required - in fact, reading through the excellent article linked from that question, I found this…

Because SIP’s configuration is stored in NVRAM, SIP’s protection settings will apply to the entire machine and will persist even if the OS is reinstalled.

This would perhaps imply your NVRAM is not correctly holding data -
perhaps try a reset, Cmd ⌘ Opt ⌥ P R at the chimes & keep holding until you hear the chimes a second time.

Source : System Integrity Protection – Adding another layer to Apple’s security model

If after resetting NVRAM one time, you can’t make SIP status stick the next steps are to repair and wipe your drive and then seek hardware service is a freshly erased and reinstalled OS won’t allow you to disable SIP.

Best Answer

Related Solutions

MacOS – How to disable System Integrity Protection (SIP) AKA “rootless” on macOs [OS X]

MacOS – Permanently Disabling System Integrity Protection

Related Question