Developer(s) | Apple Inc. |
---|---|
Operating system | macOS |
Website | developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html |
/System/Library/Sandbox/rootless.conf
or both. Among the protected directories are: /System
, /bin
, /sbin
, /usr
(but not /usr/local
).[8] The symbolic links from /etc
, /tmp
and /var
to /private/etc
, /private/tmp
and /private/var
are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in /Applications
are protected as well.[1] The kernel stops all processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected executables.[9]csrutil
command-line utility which can be executed from a Terminal window within the recovery system or a bootable macOS installation disk, which adds a boot argument to the device's NVRAM. This applies the setting to all of the installations of El Capitan or macOS Sierra on the device.[4] Upon installation of macOS, the installer moves any unknown components within flagged system directories to /Library/SystemMigration/History/Migration-[UUID]/QuarantineRoot/
.[1][4] By preventing write access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, permissions repair is not available in Disk Utility[12] and the corresponding diskutil
operation.Code injection and runtime attachments to system binaries are no longer permitted.