Someone e-mailed me and asked me if it is possible to check the SIP (System Integrity Protection) status from a C program. Yes. That is certainly possible, and I like to shared an example in a new Github repository. One that I added yesterday, and todays update made it even cleaner. Here is a sample of the output:
System Integrity Protection status: enabled (Custom Configuration: 0x00000001). Configuration: Apple Internal: disabled Kext Signing Restrictions: disabled Filesystem Protections: enabled Debugging Restrictions: enabled DTrace Restrictions: enabled NVRAM Protections: enabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
In the same fashion
csrutil status does it, but there are four major differences. Did you spot them already?
1.) It will only show “status: disabled” when everything is disabled. Done to stop confusion.
2.) It shows you the actual state e.g. 0x00000001 to assist you, to help you detect the actual value of csr-active-config in NVRAM.
3.) I use: “Kext Signing Restrictions” instead of “Kext Signing” to help you understand what it does.
4.) All changes are displayed in bold to help you spot disabled protections and/or restrictions.
See also csrutil updated in DP7.
Update csrstat v1.5 with Higher Sierra support is now available.
Have fun with it!