SIP about to change once more?

I blogged about System Integrity Protection here; Apple’s kext signing bypassed… and here; csrutil updated in DP7 and when I released csrstat.c to show CSR/SIP status and I have found a new C string literal in the sandbox daemon – sandboxd – that may be an indication that Apple will extend the SIP configuration with the following setting:

#define CSR_ALLOW_DEVICE_CONFIGURATION	(1 << 7)	// 128

Update: It is already used/checked in function csr_check() in bsd/kern/kern_csr.c (XNU kernel source code) to set csr_allow_all to 1 if it is set.

More importantly. AppleEFINVRAM has two calls to csr_check() with this value. One in AppleEFINVRAM::setProperty(OSSymbol const*, OSObject*) and one in AppleEFINVRAM::removeProperty(OSSymbol const*, bool). There might be more executables that use this value, but at least now we know what it is that blocks nvram settings from being stored. I mean entitlements alone are not enough. We know this because csrutil is in fact entitled to set csr-* properties, but not from all partitions.

I also asked folks in the Clover general and Chameleon threads over at if they used this value, but nobody replied yet. I presume that they don’t know what this value is used for, and why they should test it. Well. Never mind then.

One thought on “SIP about to change once more?

  1. Pingback: SIP (System Integrity Protection) changes for High Sierra… – Pike's Universum

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s