Yes, you can indeed disable parts of SIP while leaving others enabled.
If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:
- csrutil enable --no-internal
- csrutil enable --without kext
- csrutil enable --without fs
- csrutil enable --without debug
- csrutil enable --without dtrace
- csrutil enable --without nvram
You can disable two or more components by structuring the command as follows:
- csrutil enable --without kext --without debug
That appeared to work, though I had to remove the \ in order to string exceptions. Thanks.
How did you come across this? This doesn't seem to be documented anywhere.
It isn't documented yet. Hackintosh enthusiasts took the binary apart weeks ago and were able to constuct a man page of sorts.
Pls what does the without debug option do?