System Integrity Protection
| ← Previous revision | Revision as of 12:24, 19 April 2026 | ||
| Line 16: | Line 16: | ||
==Justification== |
==Justification== |
||
Apple says that |
Apple says that SIP is a necessary step to ensure a high level of security. In one of the [[WWDC]] developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted [[root access]] as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or [[Vulnerability (computing)|vulnerability]] away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password{{dash}}which Martel says is often weak or non-existent{{dash}}the security of the entire system is potentially compromised. Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to [[Mac OS X Leopard]] enforce {{Nowrap|level 1}} of [[securelevel]], a security feature that originates in [[Berkeley Software Distribution|BSD]] and its derivatives upon which macOS is partially based.{{Cite book|title = Practical UNIX and Internet Security|url = https://archive.org/details/practical_unix_and_internet_security-0596003234|last = Garfinkel|first = Simon|publisher = [[O'Reilly Media]]|date = 2003|isbn = 9780596003234|pages = [https://archive.org/details/practical_unix_and_internet_security-0596003234/page/118 118]–9|last2 = Spafford|first2 = Gene|last3 = Schwartz|first3 = Alan|author-link2 = Gene Spafford}} |
||
== Functions == |
== Functions == |
||
[[File:MacOS prohibitory symbol.svg|alt=Prohibited sign (a circle with a single line crossing through it) that is shown during the boot process when the system is not allowed to proceed.|thumb|The "[[No symbol|prohibitory symbol]]"{{Cite web|url=https://support.apple.com/HT204156|title=About the screens you see when your Mac starts up|date=August 13, 2015|website=Apple Support|archive-url=https://web.archive.org/web/20160421225308/https://support.apple.com/en-us/HT204156|archive-date=April 21, 2016|url-status=live|access-date=September 30, 2016}} is shown when macOS is not allowed to complete the [[Booting|boot process]]. This can happen when "kext signing" is enabled and the user installed an unsigned [[Loadable kernel module|kernel extension]].]] |
[[File:MacOS prohibitory symbol.svg|alt=Prohibited sign (a circle with a single line crossing through it) that is shown during the boot process when the system is not allowed to proceed.|thumb|The "[[No symbol|prohibitory symbol]]"{{Cite web|url=https://support.apple.com/HT204156|title=About the screens you see when your Mac starts up|date=August 13, 2015|website=Apple Support|archive-url=https://web.archive.org/web/20160421225308/https://support.apple.com/en-us/HT204156|archive-date=April 21, 2016|url-status=live|access-date=September 30, 2016}} is shown when macOS is not allowed to complete the [[Booting|boot process]]. This can happen when "kext signing" is enabled and the user installed an unsigned [[Loadable kernel module|kernel extension]].]] |
||
SIP comprises the following mechanisms: |
|||
* Protection of contents and [[File system permissions|file-system permissions]] of system files and directories; |
* Protection of contents and [[File system permissions|file-system permissions]] of system files and directories; |
||
* Protection of processes against [[code injection]], runtime attachment (like [[debugging]]) and [[DTrace]]; |
* Protection of processes against [[code injection]], runtime attachment (like [[debugging]]) and [[DTrace]]; |
||
* Protection against unsigned [[Loadable kernel module|kernel extensions]] ("kexts"). |
* Protection against unsigned [[Loadable kernel module|kernel extensions]] ("kexts"). |
||
SIP protects system files and directories that are flagged for protection. This happens either by adding an [[Extended file attributes|extended file attribute]] to a file or directory, by adding the file or directory to {{code|/System/Library/Sandbox/rootless.conf}} or both. Among the protected directories are: [[System folder|{{code|/System}}]], {{code|/bin}}, {{code|/sbin}}, {{code|/usr}} (but not {{code|/usr/local}}).{{Cite web|url=https://support.apple.com/HT204899|title=About System Integrity Protection on your Mac|date=May 30, 2016|website=Apple Support|archive-url=https://web.archive.org/web/20160320071718/https://support.apple.com/en-us/HT204899|archive-date=March 20, 2016|url-status=live|access-date=September 30, 2016}} The symbolic links from {{code|/etc}}, {{code|/tmp}} and {{code|/var}} to {{code|/private/etc}}, {{code|/private/tmp}} and {{code|/private/var}} are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in {{code|/Applications}} are protected as well. The [[Kernel (operating system)|kernel]], [[XNU]], prevents processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected [[Executable|executables]].{{cite web|url=https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html|title=What's New In OS X - OS X El Capitan v10.11|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160304111549/https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html|archive-date=March 4, 2016|url-status=live|access-date=September 30, 2016|quote=Code injection and runtime attachments to system binaries are no longer permitted.}} |
|||
Since [[OS X Yosemite]], kernel extensions, such as [[Device driver|drivers]], have to be [[Code signing|code-signed]] with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|title=Kernel Extensions|date=September 16, 2015|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160817085001/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|archive-date=August 17, 2016|url-status=live|access-date=September 29, 2016}} The kernel refuses to [[Booting|boot]] if unsigned extensions are present, showing the user a [[No symbol|prohibition sign]] instead. This mechanism, called "kext signing", was integrated into |
Since [[OS X Yosemite]], kernel extensions, such as [[Device driver|drivers]], have to be [[Code signing|code-signed]] with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|title=Kernel Extensions|date=September 16, 2015|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160817085001/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|archive-date=August 17, 2016|url-status=live|access-date=September 29, 2016}} The kernel refuses to [[Booting|boot]] if unsigned extensions are present, showing the user a [[No symbol|prohibition sign]] instead. This mechanism, called "kext signing", was integrated into SIP.{{Cite web|url = https://www.cindori.org/trim-enabler-and-yosemite/|title = Trim in Yosemite|access-date = June 18, 2015|website = Cindori}} |
||
SIP will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize {{mono|LD_LIBRARY_PATH}} and {{mono|DYLD_LIBRARY_PATH}} before calling a system program like {{mono|/bin/bash}} to avoid code injections into the Bash process.{{cite mailing list |url=https://lists.lysator.liu.se/pipermail/nettle-bugs/2020/008860.html | title=Nettle 3.5.1 and OS X 10.12 patch |date=March 28, 2020 |access-date=13 July 2020 |mailing-list=nettle-bugs |last=Walton |first=Jeffrey |archive-url=https://web.archive.org/web/20200714071608/https://lists.lysator.liu.se/pipermail/nettle-bugs/2020/008860.html |archive-date=July 14, 2020 |url-status=dead}} |
|||
== Configuration == |
== Configuration == |
||
| Line 41: | Line 41: | ||
SIP can only be disabled (either wholly or partly) from outside of the [[System partition and boot partition|system partition]]. To that end, Apple provides the {{code|csrutil}} [[Console application|command-line utility]] which can be executed from a [[Terminal (macOS)|Terminal]] window within the [[recovery system]] or a bootable macOS installation disk, which adds a boot argument to the device's [[Non-volatile random-access memory|NVRAM]]. This applies the setting to all of the installations of El Capitan or newer on the device. Upon installation of macOS, the installer moves any unknown components within flagged system directories to {{code|/Library/SystemMigration/History/Migration-[UUID]/QuarantineRoot/}}. By preventing [[write access]] to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, [[Repair permissions|permissions repair]] is not available in [[Disk Utility]]{{Cite web|url=https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html|title=OS X El Capitan Developer Beta 2 Release Notes|date=June 22, 2015|website=Mac Developer Library|publisher=Apple|at=At section Notes and Known Issues.|archive-url=https://web.archive.org/web/20150626162444/https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html|archive-date=June 26, 2015|url-status=live|access-date=June 29, 2015}} and the corresponding {{code|diskutil}} operation. |
|||
== Reception == |
== Reception == |
||
Reception of |
Reception of SIP has been mixed. ''[[Macworld]]'' expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's [[mobile operating system]] [[iOS]], whereupon the installation of many utilities and modifications requires [[iOS jailbreaking|jailbreaking]].{{Cite web|url = http://www.macworld.com/article/2948140/os-x/private-i-el-capitans-system-integrity-protection-will-shift-utilities-functions.html|title = Private I: El Capitan's System Integrity Protection will shift utilities' functions|date = July 15, 2015|access-date = July 22, 2015|website = [[Macworld]]|last = Fleishman|first = Glenn}} Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. ''[[Ars Technica]]'' suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including [[power user]]s, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it. |
||
== See also == |
== See also == |
||
