Hi Everyone,
I wanted to know if the following file can be considered as "source of truth" for 'rootless' folders in MAC OS X 10.11 (el capitan). In case Apple adds some new folders as 'rootless' or removes an existing rootless folder; would this file get updated or it's basically for documentation purpose.
/System/Library/Sandbox/rootless.conf
Regards,
~Charu
Hi Charu,
This question was answered in the WWDC Security Lab Session. The notes for that session that are relavent to your question are as follows:
Question: How is the management config for System Integrity Protection updated?
Answer:
Updates to /System/Library/Sandbox/rootless.conf will likely be coming through Software Update
Question:
Which directories and files is System Integrity Protection protecting? Is there a way to get a listing from the command line?
Answer:
/System/Library/Sandbox/rootless.conf is the SIP conf file, but changes to this conf file are not immediately picked up by SIP. /System/Library/Sandbox/rootless.conf itself is protected by SIP.
ls's -O flag (capital O) should show restricted files
ls -laO lists files and shows restrictions
Question:
Is it possible to add custom inclusions and exclusions to System Integrity Protection?
Answer:
/System/Library/Sandbox/rootless.conf is Apple's, it should not altered by third-parties.
Asterix-marked ( * ) listings in /System/Library/Sandbox/rootless.conf will indicate exclusions to the protection.
To expand on the given answer to your first question, changes to the rootless.conf file will only be picked up during the boot process, so you will need to restart for them to take effect.
Max.
