Enabling parts of System Integrity Protection while disabling specific parts?

Question

TungstenT OP

Created Sep ’15

Replies 6

Boosts 0

Views 36k

Participants 5

Is there a way to disable certain parts of SIP while enabling parts of it? If so, then how do I do this?

I'd like to enable most of SIP (such as filesystem protections), but disable debugging restrictions so that I can attach a debugger to System Preferences to debug a preference pane, something that is normally not allowed. I'm aware of csrutil, but there's no manual for the tool, and the online help doesn't say whether it can do this or not.

Answered by Max108 in 52814022

Yes, you can indeed disable parts of SIP while leaving others enabled.

If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:

csrutil enable --no-internal
csrutil enable --without kext
csrutil enable --without fs
csrutil enable --without debug
csrutil enable --without dtrace
csrutil enable --without nvram

You can disable two or more components by structuring the command as follows:

csrutil enable --without kext --without debug

-Max

Boost

Answer 1

Max108 OP

Sep ’15

Accepted Answer

Yes, you can indeed disable parts of SIP while leaving others enabled.

If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:

csrutil enable --no-internal
csrutil enable --without kext
csrutil enable --without fs
csrutil enable --without debug
csrutil enable --without dtrace
csrutil enable --without nvram

You can disable two or more components by structuring the command as follows:

csrutil enable --without kext --without debug

-Max

1

Answer 2

TungstenT OP

Sep ’15

That appeared to work, though I had to remove the \ in order to string exceptions. Thanks.

How did you come across this? This doesn't seem to be documented anywhere.

0

Answer 3

Max108 OP

Sep ’15

Edited accordingly.

It isn't documented yet. Hackintosh enthusiasts took the binary apart weeks ago and were able to constuct a man page of sorts.

0

Answer 4

@udegbunamchuks OP

Sep ’15

Pls what does the without debug option do?

0

Answer 5

ILikeTau OP

Jul ’20

Lets you debug other binaries on the system.

0

Answer 6

jprokos OP

Aug ’23

This is an old thread but a good repository for updating this list for modern OS

I am missing some pieces and would like to fill in the blanks... especially for Boot-args.

I have tried --without bootargs --without bootarg --without boot --without ba --without boot-args --no-bootargs --no-bootarg --no-boot-arg

Apple Internal:  (--no-internal)
Kext Signing:  (--without kext)
Filesystem Protections: (--without fs)
Debugging Restrictions:  (--without debug)
DTrace Restrictions:  (--without dtrace)
NVRAM Protections: (--without nvram)
BaseSystem Verification: (--without basesystem) ?
Boot-arg Restrictions:
Kernel Integrity Protections:
Authenticated Root Requirement:

running strings /usr/bin/csrutil returns some intriguing stuff but I haven't been lucky

some strings from csrutil

isARVSealingRequired
isAppleInternalPolicyAllowed
isBootArgFilteringEnabled
isCTRREnforcementRequired
isDTraceRestricted
isDebuggingRestricted
isFileVaultEnabled
isFilesystemAccessRestricted
isKernelDebuggingRestricted
isKextSigningRequired
isNVRAMAccessRestricted
isRecoveryVerificationRequired
isThirdPartyKextLoadingEnabled

...
setARVSealingRequired:
setAppleInternalPolicyAllowed:
setArguments:
setBootArgFilteringEnabled:
setCTRREnforcementRequired:
setCredential:type:error:
setDTraceRestricted:
setDebuggingRestricted:
setExecutableURL:
setFilesystemAccessRestricted:
setFirmwareSecurityLevel:
setKernelDebuggingRestricted:
setKextSigningRequired:
setLocalAuthenticationContext:
setNVRAMAccessRestricted:
setObject:forKeyedSubscript:
setRecoveryVerificationRequired:
setStandardOutput:
setThirdPartyKextLoadingEnabled:

0