Monday, September 14, 2015

System Integrity Protection Documentation and Bugs

System Integrity Protection Guide (PDF):

This document covers the key concepts of System Integrity Protection and explains the implications it has on the design and capabilities of apps.

Via Rich Trouton (tweet), who has filed two bugs:

SIP’s protection of /System affects XProtect’s XProtect.plist and XProtect.meta.plist configuration files as they are stored in the following location inside /System:


As the XProtect configuration files will be locked against editing on OS X El Capitan, this means that they can no longer be managed to allow older versions of the Flash and Java browser plug-ins to run.

Pike has posted the man page for the new csrutil configuration tool. The “status” command lets you programmatically detect whether System Integrity Protection is enabled.


Note: To safeguard against disabling System Integrity Protection by modifying security configuration from another OS, the startup disk can no longer be set programmatically, such as by invoking the bless(8) command.

Previously: System Integrity Protection (a.k.a. Rootless).

Update (2015-09-22): Rich Trouton:

This allows SIP’s configuration to persist across OS installs, but this design choice also means that resetting NVRAM will cause SIP to reset as well. In my testing, this reset will result in the following SIP configuration:

Update (2015-10-07): Gus Mueller:

“Message from debugger: cannot attach to process due to System Integrity Protection”. So much for debugging Automator actions in 10.11.

Update (2015-10-08): Rich Trouton:

To see which files have been protected by SIP, use the ls command with the capital O flag in Terminal[…]


SIP’s protections are not limited to protecting the system from filesystem changes. There are also system calls which are now restricted in their functionality.

  • task_for_pid() / processor_set_tasks() fail with EPERM
  • Mach special ports are reset on exec(2)
  • dyld environment variables are ignored
  • DTrace probes unavailable


It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the csrutil enable command. All require being booted from Recovery in order to set them[…]

1 Comment RSS · Twitter

I'm pretty sure that editing the XProtect.plist is a terrible way to allow Flash or Java. Do it this way:

Leave a Comment