| System Integrity Protection | |
|---|---|
 Security layers present in macOS | |
| Developer | Apple Inc. |
| Initial release | September 16, 2015; 10 years ago (2015-09-16) |
| Operating system | macOS |
| Included with | OS X El Capitan (OS X 10.11) and later |
| Type | Computer security software |
| Website | developer |
System Integrity Protection (SIP,[1] sometimes referred to asrootless[2][3]) is a security feature ofApple'smacOSoperating system introduced inOS X El Capitan (2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by thekernel. A centerpiece is the protection of system-ownedfiles anddirectories against modifications by processes without a specific "entitlement", even when executed by theroot user or a user withroot privileges (sudo).
Apple says that the root user can be a significant risk to the system's security, especially on a system with a singleuser account on which that user is also the administrator. SIP is enabled by default but can be disabled.[4][5]
Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of theWWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestrictedroot access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password orvulnerability away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised.[4] Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior toMac OS X Leopard enforcelevel 1 ofsecurelevel, a security feature that originates inBSD and its derivatives upon which macOS is partially based.[6]
System Integrity Protection comprises the following mechanisms:
System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding anextended file attribute to a file or directory, by adding the file or directory to/System/Library/Sandbox/rootless.conf or both. Among the protected directories are:/System,/bin,/sbin,/usr (but not/usr/local).[8] The symbolic links from/etc,/tmp and/var to/private/etc,/private/tmp and/private/var are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in/Applications are protected as well.[1] Thekernel,XNU, prevents processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protectedexecutables.[9]
SinceOS X Yosemite, kernel extensions, such asdrivers, have to becode-signed with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.[10] The kernel refuses toboot if unsigned extensions are present, showing the user aprohibition sign instead. This mechanism, called "kext signing", was integrated into System Integrity Protection.[4][11]
System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitizeLD_LIBRARY_PATH andDYLD_LIBRARY_PATH before calling a system program like/bin/bash to avoid code injections into the Bash process.[12]
The directories protected by SIP by default include:[13]
/System/sbin/bin/usr/Applications/usr is protected with the exception of/usr/local subdirectory./Applications is protected for apps that are pre-installed with macOS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes.[13]
System Integrity Protection can only be disabled (either wholly or partly) from outside of thesystem partition. To that end, Apple provides thecsrutilcommand-line utility which can be executed from aTerminal window within therecovery system or a bootable macOS installation disk, which adds a boot argument to the device'sNVRAM. This applies the setting to all of the installations of El Capitan or newer on the device.[4] Upon installation of macOS, the installer moves any unknown components within flagged system directories to/Library/SystemMigration/History/Migration-[UUID]/QuarantineRoot/.[1][4] By preventingwrite access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result,permissions repair is not available inDisk Utility[14] and the correspondingdiskutil operation.
Reception of System Integrity Protection has been mixed.Macworld expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple'smobile operating systemiOS, whereupon the installation of many utilities and modifications requiresjailbreaking.[2][15] Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently.Ars Technica suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, includingpower users, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.[1]
Code injection and runtime attachments to system binaries are no longer permitted.
