1 Reply
      Latest reply on Sep 8, 2015 3:33 AM by Max108
      Charu Level 1 Level 1 (0 points)

        Hi Everyone,

             I wanted to know if the following file can be considered as "source of truth" for 'rootless' folders in MAC OS X 10.11 (el capitan). In case Apple adds some new folders as 'rootless' or removes an existing rootless folder; would this file get updated or it's basically for documentation purpose.

         

        /System/Library/Sandbox/rootless.conf

         

        Regards,

        ~Charu

        • Re: rootless.conf file on el capitan
          Max108 Level 8 Level 8 (5,800 points)

          Hi Charu,

           

          This question was answered in the WWDC Security Lab Session. The notes for that session that are relavent to your question are as follows:

           

          Question:  How is the management config for System Integrity Protection updated?

           

           

          Answer:

          Updates to /System/Library/Sandbox/rootless.conf will likely be coming through Software Update

           

           

          Question:

          Which directories and files is System Integrity Protection protecting? Is there a way to get a listing from the command line?

           

          Answer:

          /System/Library/Sandbox/rootless.conf is the SIP conf file, but changes to this conf file are not immediately picked up by SIP. /System/Library/Sandbox/rootless.conf itself is protected by SIP.

           

          ls's -O flag (capital O) should show restricted files

          ls -laO lists files and shows restrictions

           

           

          Question:

          Is it possible to add custom inclusions and exclusions to System Integrity Protection?

           

          Answer:

          /System/Library/Sandbox/rootless.conf is Apple's, it should not altered by third-parties.

          Asterix-marked ( * ) listings in /System/Library/Sandbox/rootless.conf will indicate exclusions to the protection.

           

          To expand on the given answer to your first question, changes to the rootless.conf file will only be picked up during the boot process, so you will need to restart for them to take effect.

           

          Max.