{"id":12282,"date":"2015-09-14T12:03:30","date_gmt":"2015-09-14T16:03:30","guid":{"rendered":"http:\/\/mjtsai.com\/blog\/?p=12282"},"modified":"2016-03-31T10:11:59","modified_gmt":"2016-03-31T14:11:59","slug":"system-integrity-protection-documentation-and-bugs","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2015\/09\/14\/system-integrity-protection-documentation-and-bugs\/","title":{"rendered":"System Integrity Protection Documentation and Bugs"},"content":{"rendered":"<p><a href=\"https:\/\/developer.apple.com\/library\/prerelease\/mac\/documentation\/Security\/Conceptual\/System_Integrity_Protection_Guide\/Introduction\/Introduction.html\">System Integrity Protection Guide<\/a> (<a href=\"https:\/\/developer.apple.com\/library\/prerelease\/mac\/documentation\/Security\/Conceptual\/System_Integrity_Protection_Guide\/System_Integrity_Protection_Guide.pdf\">PDF<\/a>):<\/p>\r\n<blockquote cite=\"https:\/\/developer.apple.com\/library\/prerelease\/mac\/documentation\/Security\/Conceptual\/System_Integrity_Protection_Guide\/Introduction\/Introduction.html\"><p>This document covers the key concepts of System Integrity Protection and explains the implications it has on the design and capabilities of apps.<\/p><\/blockquote>\r\n<p>Via <a href=\"https:\/\/derflounder.wordpress.com\/2015\/09\/14\/system-integrity-protection-and-the-end-of-xprotect-management-for-browser-plug-ins\/\">Rich Trouton<\/a> (<a href=\"https:\/\/twitter.com\/rtrouton\/status\/642027995998371842\">tweet<\/a>), who has filed <a href=\"http:\/\/www.openradar.me\/22645381\">two<\/a> <a href=\"http:\/\/www.openradar.me\/22646088\">bugs<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/derflounder.wordpress.com\/2015\/09\/14\/system-integrity-protection-and-the-end-of-xprotect-management-for-browser-plug-ins\/\"><p>SIP&rsquo;s protection of <tt>\/System<\/tt> affects XProtect&rsquo;s <tt>XProtect.plist<\/tt> and <tt>XProtect.meta.plist<\/tt> configuration files as they are stored in the following location inside <tt>\/System<\/tt>:<\/p>\r\n<pre>\/System\/Library\/CoreServices\/CoreTypes.bundle\/Contents\/Resources\/XProtect.plist\r\n\/System\/Library\/CoreServices\/CoreTypes.bundle\/Contents\/Resources\/XProtect.meta.plist<\/pre>\r\n<p>As the XProtect configuration files will be locked against editing on OS X El Capitan, this means that they can no longer be managed to allow older versions of the <a href=\"https:\/\/derflounder.wordpress.com\/2013\/03\/08\/managing-adobe-flash-browser-plug-in-settings-for-apples-xprotect-malware-protection\/\">Flash<\/a> and <a href=\"https:\/\/derflounder.wordpress.com\/2013\/02\/24\/managing-java-browser-plug-in-settings-for-apples-xprotect-malware-protection\/\">Java<\/a> browser plug-ins to run.<\/p><\/blockquote>\r\n<p><a href=\"https:\/\/pikeralpha.wordpress.com\/2015\/08\/19\/csrutil-updated\/\">Pike<\/a> has posted the man page for the new csrutil configuration tool. The &ldquo;status&rdquo; command lets you programmatically detect whether System Integrity Protection is enabled.<\/p>\r\n<p><a href=\"https:\/\/developer.apple.com\/library\/prerelease\/mac\/documentation\/Security\/Conceptual\/System_Integrity_Protection_Guide\/ConfiguringSystemIntegrityProtection\/ConfiguringSystemIntegrityProtection.html\">Apple<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/developer.apple.com\/library\/prerelease\/mac\/documentation\/Security\/Conceptual\/System_Integrity_Protection_Guide\/ConfiguringSystemIntegrityProtection\/ConfiguringSystemIntegrityProtection.html\"><p>Note: To safeguard against disabling System Integrity Protection by modifying security configuration from another OS, the startup disk can no longer be set programmatically, such as by invoking the bless(8) command.<\/p><\/blockquote>\r\n<p>Previously: <a href=\"http:\/\/mjtsai.com\/blog\/2015\/07\/12\/system-integrity-protection-a-k-a-rootless\/\">System Integrity Protection (a.k.a. Rootless)<\/a>.<\/p>\r\n<p>Update (2015-09-22): <a href=\"https:\/\/derflounder.wordpress.com\/2015\/09\/21\/system-integrity-protection-and-resetting-nvram\/\">Rich Trouton<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/derflounder.wordpress.com\/2015\/09\/21\/system-integrity-protection-and-resetting-nvram\/\"><p>This allows SIP&rsquo;s configuration to persist across OS installs, but this design choice also means that <a href=\"https:\/\/support.apple.com\/HT204063\">resetting NVRAM<\/a>&nbsp;will cause SIP to reset as well. In my testing, this reset will result in the following SIP configuration:<\/p><ul>\r\n<li>SIP will be enabled with all protections in place<\/li>\r\n<li><a href=\"https:\/\/derflounder.wordpress.com\/2015\/09\/05\/netbooting-and-system-integrity-protection\/\">No entries will be set in the SIP NetBoot whitelist<\/a><\/li>\r\n<\/ul>\r\n<\/blockquote>\r\n<p>Update (2015-10-07): <a href=\"https:\/\/twitter.com\/ccgus\/status\/651893336844832768\">Gus Mueller<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/twitter.com\/ccgus\/status\/651893336844832768\"><p>&ldquo;Message from debugger: cannot attach to process due to System Integrity Protection&rdquo;.  So much for debugging  Automator actions in 10.11.<\/p><\/blockquote>\r\n<p>Update (2015-10-08): <a href=\"https:\/\/derflounder.wordpress.com\/2015\/10\/01\/system-integrity-protection-adding-another-layer-to-apples-security-model\/\">Rich Trouton<\/a>:<\/p>\r\n<blockquote cite=\"https:\/\/derflounder.wordpress.com\/2015\/10\/01\/system-integrity-protection-adding-another-layer-to-apples-security-model\/\">\r\n<p>To see which files have been protected by SIP, use the <a href=\"https:\/\/developer.apple.com\/library\/mac\/documentation\/Darwin\/Reference\/ManPages\/man1\/ls.1.html\">ls command<\/a>&nbsp;with the capital O flag in Terminal[&#8230;]<\/p>\r\n<p>[&#8230;]<\/p>\r\n<p>SIP&rsquo;s protections are not limited to protecting the system from filesystem changes. There are also system calls which are now restricted in their functionality.<\/p>\r\n<ul>\r\n<li>task_for_pid() \/ processor_set_tasks() fail with EPERM<\/li>\r\n<li>Mach special ports are reset on exec(2)<\/li>\r\n<li>dyld environment variables are ignored<\/li>\r\n<li>DTrace probes unavailable<\/li>\r\n<\/ul>\r\n<p>[&#8230;]<\/p>\r\n<p>It is also possible to enable SIP protections and selectively disable aspects of it, by adding one or more flags to the <strong>csrutil enable<\/strong> command. All require being booted from Recovery in order to set them[&#8230;]<\/p>\r\n<\/blockquote>","protected":false},"excerpt":{"rendered":"<p>System Integrity Protection Guide (PDF): This document covers the key concepts of System Integrity Protection and explains the implications it has on the design and capabilities of apps. Via Rich Trouton (tweet), who has filed two bugs: SIP&rsquo;s protection of \/System affects XProtect&rsquo;s XProtect.plist and XProtect.meta.plist configuration files as they are stored in the following [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"apple_news_api_created_at":"","apple_news_api_id":"","apple_news_api_modified_at":"","apple_news_api_revision":"","apple_news_api_share_url":"","apple_news_coverimage":0,"apple_news_coverimage_caption":"","apple_news_is_hidden":false,"apple_news_is_paid":false,"apple_news_is_preview":false,"apple_news_is_sponsored":false,"apple_news_maturity_rating":"","apple_news_metadata":"\"\"","apple_news_pullquote":"","apple_news_pullquote_position":"","apple_news_slug":"","apple_news_sections":"\"\"","apple_news_suppress_video_url":false,"apple_news_use_image_component":false,"footnotes":""},"categories":[2],"tags":[1130,1040,131,164,84,30,1199,1235,318],"class_list":["post-12282","post","type-post","status-publish","format-standard","hentry","category-technology","tag-adobe-flash","tag-automator","tag-bug","tag-documentation","tag-java","tag-mac","tag-mac-os-x-10-11","tag-system-integrity-protection","tag-terminal"],"apple_news_notices":[],"_links":{"self":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12282","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/comments?post=12282"}],"version-history":[{"count":4,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12282\/revisions"}],"predecessor-version":[{"id":12457,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/posts\/12282\/revisions\/12457"}],"wp:attachment":[{"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/media?parent=12282"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/categories?post=12282"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mjtsai.com\/blog\/wp-json\/wp\/v2\/tags?post=12282"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}