by

csrstat.c to show CSR/SIP status

Someone e-mailed me and asked me if it is possible to check the SIP (System Integrity Protection) status from a C program. Yes. That is certainly possible, and I like to shared an example in a new Github repository. One that I added yesterday, and todays update made it even cleaner. Here is a sample of the output:

System Integrity Protection status: enabled (Custom Configuration: 0x00000001).

Configuration:
	Apple Internal: disabled
	Kext Signing Restrictions: disabled
	Filesystem Protections: enabled
	Debugging Restrictions: enabled
	DTrace Restrictions: enabled
	NVRAM Protections: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.

In the same fashion csrutil status does it, but there are four major differences. Did you spot them already?

1.) It will only show “status: disabled” when everything is disabled. Done to stop confusion.

2.) It shows you the actual state e.g. 0x00000001 to assist you, to help you detect the actual value of csr-active-config in NVRAM.

3.) I use: “Kext Signing Restrictions” instead of “Kext Signing” to help you understand what it does.

4.) All changes are displayed in bold to help you spot disabled protections and/or restrictions.

See also csrutil updated in DP7.

Update csrstat v1.5 with Higher Sierra support is now available.

Have fun with it!

5 thoughts on “csrstat.c to show CSR/SIP status

  1. It is very interesting, what it outputs on the yosemite. Although I have set “kext-dev-mode=1”, I have following output:

    System Integrity Protection status: enabled (0x00000010) (Apple Internal).

    Configuration:
    Apple Internal: enabled
    Kext Signing Restrictions: disabled
    Filesystem Protections: disabled
    Debugging Restrictions: disabled
    DTrace Restrictions: disabled
    NVRAM Protections: disabled

    Reply

    • Apple started to implement SIP in Yosemite, and Apple Internal is the default value, but it wasn’t finished like it is right now in El Capitan.
      kext-dev-mode=1 doesn’t do anything to SIP settings. It works the other way around.

      Reply

  2. Pingback: SIP about to change once more? | Pike's Universum

  3. Pingback: csrutil updated in DP7 | Pike's Universum

  4. Pingback: csrstat v1.5 released… – Pike's Universum

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s