Enabling parts of System Integrity Protection while disabling specific parts?

Is there a way to disable certain parts of SIP while enabling parts of it? If so, then how do I do this?


I'd like to enable most of SIP (such as filesystem protections), but disable debugging restrictions so that I can attach a debugger to System Preferences to debug a preference pane, something that is normally not allowed. I'm aware of csrutil, but there's no manual for the tool, and the online help doesn't say whether it can do this or not.

Answered by Max108 in 52814022

Yes, you can indeed disable parts of SIP while leaving others enabled.


If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:


  • csrutil enable --no-internal
  • csrutil enable --without kext
  • csrutil enable --without fs
  • csrutil enable --without debug
  • csrutil enable --without dtrace
  • csrutil enable --without nvram


You can disable two or more components by structuring the command as follows:

csrutil enable --without kext --without debug


-Max

Accepted Answer

Yes, you can indeed disable parts of SIP while leaving others enabled.


If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:


  • csrutil enable --no-internal
  • csrutil enable --without kext
  • csrutil enable --without fs
  • csrutil enable --without debug
  • csrutil enable --without dtrace
  • csrutil enable --without nvram


You can disable two or more components by structuring the command as follows:

csrutil enable --without kext --without debug


-Max

That appeared to work, though I had to remove the \ in order to string exceptions. Thanks.


How did you come across this? This doesn't seem to be documented anywhere.

Edited accordingly.


It isn't documented yet. Hackintosh enthusiasts took the binary apart weeks ago and were able to constuct a man page of sorts.

Pls what does the without debug option do?

Lets you debug other binaries on the system.

This is an old thread but a good repository for updating this list for modern OS

I am missing some pieces and would like to fill in the blanks... especially for Boot-args.

I have tried --without bootargs --without bootarg --without boot --without ba --without boot-args --no-bootargs --no-bootarg --no-boot-arg

Apple Internal:  (--no-internal)
Kext Signing:  (--without kext)
Filesystem Protections: (--without fs)
Debugging Restrictions:  (--without debug)
DTrace Restrictions:  (--without dtrace)
NVRAM Protections: (--without nvram)
BaseSystem Verification: (--without basesystem) ?
Boot-arg Restrictions:
Kernel Integrity Protections:
Authenticated Root Requirement: 

running strings /usr/bin/csrutil returns some intriguing stuff but I haven't been lucky

some strings from csrutil

isARVSealingRequired
isAppleInternalPolicyAllowed
isBootArgFilteringEnabled
isCTRREnforcementRequired
isDTraceRestricted
isDebuggingRestricted
isFileVaultEnabled
isFilesystemAccessRestricted
isKernelDebuggingRestricted
isKextSigningRequired
isNVRAMAccessRestricted
isRecoveryVerificationRequired
isThirdPartyKextLoadingEnabled

...
setARVSealingRequired:
setAppleInternalPolicyAllowed:
setArguments:
setBootArgFilteringEnabled:
setCTRREnforcementRequired:
setCredential:type:error:
setDTraceRestricted:
setDebuggingRestricted:
setExecutableURL:
setFilesystemAccessRestricted:
setFirmwareSecurityLevel:
setKernelDebuggingRestricted:
setKextSigningRequired:
setLocalAuthenticationContext:
setNVRAMAccessRestricted:
setObject:forKeyedSubscript:
setRecoveryVerificationRequired:
setStandardOutput:
setThirdPartyKextLoadingEnabled:
Enabling parts of System Integrity Protection while disabling specific parts?
 
 
Q