Someone e-mailed me and asked me if it is possible to check the SIP (System Integrity Protection) status from a C program. Yes. That is certainly possible, and I like to shared an example in a new Github repository. One that I added yesterday, and todays update made it even cleaner. Here is a sample of the output:
System Integrity Protection status: enabled (Custom Configuration: 0x00000001). Configuration: Apple Internal: disabled Kext Signing Restrictions: disabled Filesystem Protections: enabled Debugging Restrictions: enabled DTrace Restrictions: enabled NVRAM Protections: enabled This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
In the same fashion csrutil status does it, but there are four major differences. Did you spot them already?
1.) It will only show “status: disabled” when everything is disabled. Done to stop confusion.
2.) It shows you the actual state e.g. 0x00000001 to assist you, to help you detect the actual value of csr-active-config in NVRAM.
3.) I use: “Kext Signing Restrictions” instead of “Kext Signing” to help you understand what it does.
4.) All changes are displayed in bold to help you spot disabled protections and/or restrictions.
See also csrutil updated in DP7.
Have fun with it!
It is very interesting, what it outputs on the yosemite. Although I have set “kext-dev-mode=1”, I have following output:
System Integrity Protection status: enabled (0x00000010) (Apple Internal).
Configuration:
Apple Internal: enabled
Kext Signing Restrictions: disabled
Filesystem Protections: disabled
Debugging Restrictions: disabled
DTrace Restrictions: disabled
NVRAM Protections: disabled
Apple started to implement SIP in Yosemite, and Apple Internal is the default value, but it wasn’t finished like it is right now in El Capitan.
kext-dev-mode=1 doesn’t do anything to SIP settings. It works the other way around.
Pingback: SIP about to change once more? | Pike's Universum
Pingback: csrutil updated in DP7 | Pike's Universum