You can determine if a path is protected by SIP by checking the "com.apple.rootless" extended attribute. However, this can be misleading as the attribute doesn't exist for subfolders: xattr /System/ com.apple.rootless xattr /System/Library/ <nothing> Additionally, some protected files and folders cannot be read at all, and there's no way to check for this. As example /private/var/db/KernelExtensionManagement

Thank you for sharing this information. We believe this is a misunderstanding of how PIDs get assigned to new processes - this happens at fork(2) time, not execve(2)/posix_spawn(2) time. The early boot mechanism holds up new images from completing the exec, but the original process (e.g. commonly launchd/loginwindow at startup) has already forked a new process. A lower PID number does not mean that a new image has begun executing. I created the bug https://feedbackassistant.apple.com/feedback/12001338. When I was preparing the test data for the description, I got the same behavior. System extension could get the agent process identifier, but the agent logged only after subscription. But I thought that it was incorrect. I still think so. I'm searching for a way how to launch Endpoint Security earlier than LaunchAgents loaded by launchd. I want to block the agent before the launchd sets up any resources for it, e.g. sockets or paths to listen, mach services names, etc.

I'm building an Endpoint Security product. We use Endpoint Security as a LaunchDaemon in our product. But, after I found this behavior, I tested it as a system extension. I'm searching for a way how to launch Endpoint Security earlier than LaunchAgents on systems with FileVault. Maybe there are other ways to guarantee it?