johnnyjackhammer Posted August 31, 2023 Share Posted August 31, 2023 I'm asking here, in the hackintosh community, because it seems there is more information available regarding SIP then there is on Apple forums. I am trying to figure out how to disable SIP options individually. Most of them are already documented but a few others are not. I am most interested in turning off Boot-arg restrictions and can't find the `csrutil` argument to do so. On macOS we use this command while in "recovery mode" csrutil enable --without xxx Using the arguments listed below... Apple Internal: (--no-internal) Kext Signing: (--without kext) Filesystem Protections: (--without fs) Debugging Restrictions: (--without debug) DTrace Restrictions: (--without dtrace) NVRAM Protections: (--without nvram) BaseSystem Verification: (--without basesystem) Boot-arg Restrictions: ? Kernel Integrity Protections: ? Authenticated Root Requirement: ? The last three are a mystery. Quote Link to comment https://www.insanelymac.com/forum/topic/357531-information-on-disabling-individual-sip-arguments-on-macos/ Share on other sites More sharing options...
Slice Posted September 1, 2023 Share Posted September 1, 2023 I think not all capabilities can be set by csrutil arguments. In hackintosh we set bit mask in the nvram variable "csr-active-config". It is defined in Apple XNU opensource. /* CSR configuration flags */ #define CSR_ALLOW_UNTRUSTED_KEXTS (1 << 0) #define CSR_ALLOW_UNRESTRICTED_FS (1 << 1) #define CSR_ALLOW_TASK_FOR_PID (1 << 2) #define CSR_ALLOW_KERNEL_DEBUGGER (1 << 3) #define CSR_ALLOW_APPLE_INTERNAL (1 << 4) #define CSR_ALLOW_DESTRUCTIVE_DTRACE (1 << 5) /* name deprecated */ #define CSR_ALLOW_UNRESTRICTED_DTRACE (1 << 5) #define CSR_ALLOW_UNRESTRICTED_NVRAM (1 << 6) #define CSR_ALLOW_DEVICE_CONFIGURATION (1 << 7) #define CSR_ALLOW_ANY_RECOVERY_OS (1 << 8) #define CSR_ALLOW_UNAPPROVED_KEXTS (1 << 9) #define CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE (1 << 10) #define CSR_ALLOW_UNAUTHENTICATED_ROOT (1 << 11) #define CSR_VALID_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \ CSR_ALLOW_UNRESTRICTED_FS | \ CSR_ALLOW_TASK_FOR_PID | \ CSR_ALLOW_KERNEL_DEBUGGER | \ CSR_ALLOW_APPLE_INTERNAL | \ CSR_ALLOW_UNRESTRICTED_DTRACE | \ CSR_ALLOW_UNRESTRICTED_NVRAM | \ CSR_ALLOW_DEVICE_CONFIGURATION | \ CSR_ALLOW_ANY_RECOVERY_OS | \ CSR_ALLOW_UNAPPROVED_KEXTS | \ CSR_ALLOW_EXECUTABLE_POLICY_OVERRIDE | \ CSR_ALLOW_UNAUTHENTICATED_ROOT) #define CSR_ALWAYS_ENFORCED_FLAGS (CSR_ALLOW_DEVICE_CONFIGURATION | CSR_ALLOW_ANY_RECOVERY_OS) /* Flags set by `csrutil disable`. */ #define CSR_DISABLE_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \ CSR_ALLOW_UNRESTRICTED_FS | \ CSR_ALLOW_TASK_FOR_PID | \ CSR_ALLOW_KERNEL_DEBUGGER | \ CSR_ALLOW_APPLE_INTERNAL | \ CSR_ALLOW_UNRESTRICTED_DTRACE | \ CSR_ALLOW_UNRESTRICTED_NVRAM) So, for example, csrutil disable will correspond to 0x7F same as sudo nvram csr-active-config=%7f%00%00%00 But we can't use csrutil as it works only in Recovery mode while after restart the bootloader will set own SIP value. 1 Quote Link to comment https://www.insanelymac.com/forum/topic/357531-information-on-disabling-individual-sip-arguments-on-macos/#findComment-2810709 Share on other sites More sharing options...
startergo Posted Saturday at 11:49 AM Share Posted Saturday at 11:49 AM (edited) In general this table should give you visual overview. csrstat should give you the actual bits in the booted system. Disregard the names as they might be incorrect, but the bits should be correct. Compile with: cc csrstat.c -o csrstat Apple internal bit behaves differently on apple hardware compared to hackintosh. Querying: strings /usr/bin/csrutil Gives us some intuitive results: Tc,N,GisARVSealingRequired Tc,N,GisAppleInternalPolicyAllowed Tc,N,GisDTraceRestricted Tc,N,GisDebuggingRestricted Tc,N,GisFilesystemAccessRestricted Tc,N,GisKernelDebuggingRestricted Tc,N,GisKextSigningRequired Tc,N,GisNVRAMAccessRestricted Tc,N,GisRecoveryVerificationRequired Tc,N,GisResearchGuestAllowed Tc,N,GisThirdPartyKextLoadingEnabled Tc,R,GisFileVaultEnabled,V_fileVaultEnabled Tc,R,GisLocked Edited Saturday at 12:26 PM by startergo Typo correct 3 Quote Link to comment https://www.insanelymac.com/forum/topic/357531-information-on-disabling-individual-sip-arguments-on-macos/#findComment-2828498 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.