MacOS – System Integrity Protection — Is it implemented in Darwin? Or is it OS X only

darwinmacos

The question should be clear from the title. If System Integrity Protection, aka Rootless, is part of Darwin, then I might be interested in inspecting how it is implemented. I would be grateful if someone could point me to the relevant files or packages. I think it definitely should be in xnu, by the way, because it has to be in the kernel, but I'm also interested in how other packages interact with it, e.g., file_cmds.

I guess this question can only be answered on Darwin 15.0.0's source code is released on https://opensource.apple.com/ (it's not yet available as of right now).

Best Answer

SIP is exposed to the file handler code as a new "restricted" class flag ACL as if it were stored in the file system metadata, so the code required to prevent all writes would be fairly transparent to implement so that all other packages would just get an enoperm error if my suspicions are correct.

You are correct that we don't have a source dump yet for 10.11 so I reserve the right to be totally wrong about my suspicions.

Background

My environment

Host

Windows 10
VMWare Workstation 12 (patched to run macOS)

Guest

macOS High Sierra 10.13.4

I originally tried adding macosguest.forceRecoveryModeInstall = "TRUE" to my .vmx config. This allowed me to boot into recovery and could disable SIP but then I couldn't get the VM to boot normally, even after removing that line.

The solution to this problem I found was to just delete the .nvram file. Unfortunately, that's where the flag to disable SIP is stored so when my VM came back up SIP was enabled again.

My Solution

From the Terminal, run the following commands (thanks to G5tube for this suggestion)
```
 sudo nvram "recovery-boot-mode=unused"
 sudo reboot recovery
```
The second command will reboot your Mac instantly, so better save any unfinished work first.
Once the Mac has rebooted into the Recovery / Installer system (you may have to choose your language first): From the menu bar, click Utilities > Terminal
Run csrutil disable from the terminal, followed by reboot
Once your VM has rebooted normally you can verify that SIP was disabled by opening a terminal and running csrutil status

To turn SIP back on, follow the same steps as above but run csrutil enable at the recovery terminal instead.

MacOS – Permanently Disabling System Integrity Protection

There should be no extra step required - in fact, reading through the excellent article linked from that question, I found this…

Because SIP’s configuration is stored in NVRAM, SIP’s protection settings will apply to the entire machine and will persist even if the OS is reinstalled.

This would perhaps imply your NVRAM is not correctly holding data -
perhaps try a reset, Cmd ⌘ Opt ⌥ P R at the chimes & keep holding until you hear the chimes a second time.

Source : System Integrity Protection – Adding another layer to Apple’s security model

If after resetting NVRAM one time, you can’t make SIP status stick the next steps are to repair and wipe your drive and then seek hardware service is a freshly erased and reinstalled OS won’t allow you to disable SIP.