Adding an entitlement check to FileNVRAM.kext

Apple protects the SIP settings and won’t allow you – not even as root – to set or change the csr-active-config and csr-data NVRAM variables. Not without using a certain UUID or first booting into the RecoveryHD. Yup. It simply fails with some error. And using

$ sudo csrutil disable

will also fail with an error, but since FileNVRAM.kext isn’t checking the entitlements… that will let you, and anyone else for that matter, add or change the SIP settings! I personally do not want this. Not even on a hack, and that is why I added the missing entitlement check. Here is what I added:

bool FileNVRAM::setProperty(const OSSymbol *aKey, OSObject *anObject)
	// Verify permissions.
	if (IOUserClient::clientHasPrivilege(current_task(), kIOClientPrivilegeAdministrator) != kIOReturnSuccess)
		// Not priveleged!
		return false;
	// Check for SIP configuration variables.
	if ((strncmp("csr-data", aKey->getCStringNoCopy(), 8) == 0) || (strncmp("csr-active-config", aKey->getCStringNoCopy(), 17) == 0))
		// We have a match so first verify the entitlements.
		if (IOUserClient::copyClientEntitlement(current_task(), "") == NULL)
			LOG(INFO, "setProperty(%s, (%s) %p) failed (not entitled)\n", aKey->getCStringNoCopy(), anObject->getMetaClass()->getClassName(), anObject);
			// Not entitled!
			return false;

Yeah. Checking entitlements is really that easy. Now nvram barks like it should:

sandboxd[270] ([475]): nvram(475) System Policy: deny nvram-set csr-active-config

Same for csrutil:

sandboxd[270] ([473]): csrutil(473) System Policy: deny nvram-set csr-active-config

Have fun with it!

6 thoughts on “Adding an entitlement check to FileNVRAM.kext

  1. Would this mean that a third-party boot.efi might need to resort to some implicit call to FileNVRAM.kext to make csrutil enable/disable work even when booted to the Recovery HD?

    • It means that csrutil enable/disable and the like works with FileNVRAM.kext in place, even from a normall booted partition, but that is not what we want. I may need a lot more time to figure it all out, but we should be able to get the job done in a clean – non-hack – way.

  2. Pingback: csrutil (SIP) disable(d) from the command prompt | Pike's Universum

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s