關閉 OSX 10.11 SIP (System Integrity Protection) 功能

關閉 OSX 10.11 SIP (System Integrity Protection) 功能

Apple 從 10.9 開始導入kext需要簽名認證後,在10.10全面啟用此功能,每項置入/System/Library/Extersions/中的kext必需要經過簽名認證系統才會啟用此功能,然而在10.11時另外追加了System Integrity Protection (SIP)功能來保護系統檔案及kext驅動避免被修改,即使是root權限也無法更改已經被系統設定的項目。

要了解被鎖定的項目可以查詢:

cat /System/Library/Sandbox/rootless.conf


10.10只有少許的項目:

                /System
*               /System/Library/Caches
booter          /System/Library/CoreServices
*               /System/Library/Extensions
                /System/Library/Extensions/*
UpdateSettings  /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist
*               /System/Library/User Template
                /bin
                /sbin
                /usr
*               /usr/local
# symlinks
                /etc
                /tmp
                /var

10.11已經加入更多root無法修改的項目:

                /Applications/App Store.app
                /Applications/Automator.app
                /Applications/Calculator.app
                /Applications/Calendar.app
                /Applications/Chess.app
                /Applications/Contacts.app
                /Applications/Dashboard.app
                /Applications/Dictionary.app
                /Applications/DVD Player.app
                /Applications/FaceTime.app
                /Applications/Font Book.app
                /Applications/Game Center.app
                /Applications/Image Capture.app
                /Applications/Launchpad.app
                /Applications/Mail.app
                /Applications/Maps.app
                /Applications/Messages.app
                /Applications/Mission Control.app
                /Applications/Notes.app
                /Applications/Photo Booth.app
                /Applications/Photos.app
                /Applications/Preview.app
                /Applications/QuickTime Player.app
                /Applications/Reminders.app
                /Applications/Safari.app
                /Applications/Stickies.app
                /Applications/System Preferences.app
                /Applications/TextEdit.app
                /Applications/Time Machine.app
                /Applications/Utilities/Activity Monitor.app
                /Applications/Utilities/AirPort Utility.app
                /Applications/Utilities/Audio MIDI Setup.app
                /Applications/Utilities/Bluetooth File Exchange.app
                /Applications/Utilities/Boot Camp Assistant.app
                /Applications/Utilities/ColorSync Utility.app
                /Applications/Utilities/Console.app
                /Applications/Utilities/Digital Color Meter.app
                /Applications/Utilities/Disk Utility.app
                /Applications/Utilities/Feedback Assistant.app
                /Applications/Utilities/Grab.app
                /Applications/Utilities/Grapher.app
                /Applications/Utilities/Keychain Access.app
                /Applications/Utilities/Migration Assistant.app
                /Applications/Utilities/Script Editor.app
                /Applications/Utilities/System Information.app
                /Applications/Utilities/Terminal.app
                /Applications/Utilities/VoiceOver Utility.app
                /Library/Preferences/SystemConfiguration/com.apple.Boot.plist
                /System
*               /System/Library/Caches
booter              /System/Library/CoreServices
*               /System/Library/CoreServices/Photo Library Migration Utility.app
                /System/Library/CoreServices/RawCamera.bundle
*               /System/Library/Extensions
                /System/Library/Extensions/*
UpdateSettings          /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist
*               /System/Library/Speech
*               /System/Library/User Template
                /bin
dyld                /private/var/db/dyld
                /sbin
                /usr
*               /usr/libexec/cups
*               /usr/local
*               /usr/share/man
# symlinks
                /etc
                /tmp
                /var


因為啟動SIP功能,rootless.conf在未關閉時是無法進行修改的。

RecoveryHD

在進行之前必需要確認你能進入Recovery OS,所以將你的系統重開機後按下Option(alt)鍵後進入選擇啟動磁碟:

看到你的啟動磁碟名稱有Recovery HD代表你具有Recovery OS,如果你未包含此OS,在開機時按下Option(alt) + R進入網路開機連線至Apple伺服器進行Recovery OS的安裝,詳細說明傳送門

csrutil

要進行SIP保護的變更需要透過csrutil工具程式進行修改,必需要經過Recovery OS開機後進入工具程式終端機執行此命令才有權限進行修改。

此工具程式會將更變的值寫入nvarmcsr-active-config中,鍵入csrutil會出現使用說明:

usage: csrutil <command>
Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine.
Available commands:

    clear
        Clear the existing configuration. Only available in Recovery OS.
    disable
        Disable the protection on the machine. Only available in Recovery OS.
    enable
        Enable the protection on the machine. Only available in Recovery OS.
    status
        Display the current configuration.

    netboot
        add <address>
            Insert a new IPv4 address in the list of allowed NetBoot sources.
        list
            Print the list of allowed NetBoot sources.
        remove <address>
            Remove an IPv4 address from the list of allowed NetBoot sources.

查看狀態執行csutil status

System Integrity Protection status: enabled (Custom Configuration).

單單關閉SIP執行sudo csrutil enable --no-internal

Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.


如果你出現:

csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.


代表你使用的並非Recovery OS開機,請確定從Recovery OS開機再執行。

csrutil 進階指令

如果你只是要細部的關閉某個SIP功能例如關閉kext需要簽章功能執行sudo csrutil enable --without kext

csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state.
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.

訊息告知已經將參數寫入nvram中,必需要重新開機參數才會發生作用。

以上例子之外,還有其他設定都是經過enable與without功能來將功能啟動與關閉,使用命令語法如下:

csrutil enable [--without kext|fs|debug|dtrace|nvram] [--no-internal]

舉個例子:

  • sudo csrutil enable –without fs:Filesystem Protections disable

  • sudo csrutil enable –without kext:Kext Signing disable

  • sudo csrutil enable –without debug:Debugging Restrictions disable

  • sudo csrutil enable –without nvram:NVRAM Protections disable

  • sudo csrutil enable –without dtrace:DTrace Restrictions disable

當然也可以多組合:

  • sudo csrutil enable –without kext –without fs:Filesystem Protections and Kext Signing are disabled

個人心得:

csrutil設定的結果會存入nvram中的鍵值csr-active-config,設定值內容為1byte的值,利用1byt=8bit的關系,將每個bit解釋成每個功能的設值值:

bit function
B0 kext
B1 fs
B2 debug
B3 n/a
B4 internal
B5 dtrace
B6 nvram
B7 n/a

其中n/a值不管設定多少都不會作用,所以有把握的勇者可以直接利用nvram命令去變更csr-active-config值就可以,像:

nvram csr-active-config=0x13

等同:

sudo csrutil enable --without kext --without fs


參考資料

csrutil updated in DP7

SIP/Rootless Internal in El Capitan