System Integrity Protection: Difference between revisions

	Security layers present in macOS
Developer(s)	Apple Inc.
Initial release	September 16, 2015; 8 years ago
Operating system	macOS
Included with	OS X El Capitan (OS X 10.11) and later
Type	Computer security software
Website	developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html

Browse history interactively

← Previous edit

Content deleted Content added

VisualWikitext

Inline

Latest revision as of 01:22, 27 May 2024

System Integrity Protection (SIP,^[1] sometimes referred to as rootless^[2]^[3]) is a security feature of Apple's macOS operating system introduced in OS X El Capitan (2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the kernel. A centerpiece is the protection of system-owned files and directories against modifications by processes without a specific "entitlement", even when executed by the root user or a user with root privileges (sudo).

Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. SIP is enabled by default, but can be disabled.^[4]^[5]

Justification[edit]

Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised.^[4] Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to Mac OS X Leopard enforce level 1 of securelevel, a security feature that originates in BSD and its derivatives upon which macOS is partially based.^[6]

Functions[edit]

Prohibited sign (a circle with a single line crossing through it) that is shown during the boot process when the system is not allowed to proceed. — The "prohibitory symbol"^[7] is shown when macOS is not allowed to complete the boot process. This can happen when "kext signing" is enabled and the user installed an unsigned kernel extension.

System Integrity Protection comprises the following mechanisms:

Protection of contents and file-system permissions of system files and directories;
Protection of processes against code injection, runtime attachment (like debugging) and DTrace;
Protection against unsigned kernel extensions ("kexts").

System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an extended file attribute to a file or directory, by adding the file or directory to /System/Library/Sandbox/rootless.conf or both. Among the protected directories are: /System, /bin, /sbin, /usr (but not /usr/local).^[8] The symbolic links from /etc, /tmp and /var to /private/etc, /private/tmp and /private/var are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in /Applications are protected as well.^[1] The kernel, XNU, prevents processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected executables.^[9]

Since OS X Yosemite, kernel extensions, such as drivers, have to be code-signed with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.^[10] The kernel refuses to boot if unsigned extensions are present, showing the user a prohibition sign instead. This mechanism, called "kext signing", was integrated into System Integrity Protection.^[4]^[11]

System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize LD_LIBRARY_PATH and DYLD_LIBRARY_PATH before calling a system program like /bin/bash to avoid code injections into the Bash process.^[12]

Configuration[edit]

The directories protected by SIP by default include:^[13]

/System
/sbin
/bin
/usr
/Applications

/usr is protected with the exception of /usr/local subdirectory. /Applications is protected for apps that are pre-installed with Mac OS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes.^[13]

System Integrity Protection can only be disabled (either wholly or partly) from outside of the system partition. To that end, Apple provides the csrutil command-line utility which can be executed from a Terminal window within the recovery system or a bootable macOS installation disk, which adds a boot argument to the device's NVRAM. This applies the setting to all of the installations of El Capitan or macOS Sierra on the device.^[4] Upon installation of macOS, the installer moves any unknown components within flagged system directories to /Library/SystemMigration/History/Migration-[UUID]/QuarantineRoot/.^[1]^[4] By preventing write access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, permissions repair is not available in Disk Utility^[14] and the corresponding diskutil operation.

Reception[edit]

Reception of System Integrity Protection has been mixed. Macworld expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's mobile operating system iOS, whereupon the installation of many utilities and modifications requires jailbreaking.^[2]^[15] Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. Ars Technica suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including power users, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.^[1]

References[edit]

^ ^a ^b ^c ^d Cunningham, Andrew; Hutchinson, Lee (September 29, 2015). "OS X 10.11 El Capitan: The Ars Technica Review—System Integrity Protection". Ars Technica. Retrieved September 29, 2015.
^ ^a ^b Cunningham, Andrew (June 17, 2015). "First look: OS X El Capitan brings a little Snow Leopard to Yosemite". Ars Technica. Retrieved June 18, 2015.
^ Slivka, Eric (June 12, 2015). "OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance". MacRumors. Retrieved June 18, 2015.
^ ^a ^b ^c ^d ^e Martel, Pierre-Olivier (June 2015). "Security and Your Apps" (PDF). Apple Developer. pp. 8–54. Archived (PDF) from the original on April 23, 2016. Retrieved September 30, 2016.
^ "Configuring System Integrity Protection". Mac Developer Library. Apple. September 16, 2015. Archived from the original on August 17, 2016. Retrieved September 30, 2016.
^ Garfinkel, Simon; Spafford, Gene; Schwartz, Alan (2003). Practical UNIX and Internet Security. O'Reilly Media. pp. 118–9. ISBN 9780596003234.
^ "About the screens you see when your Mac starts up". Apple Support. August 13, 2015. Archived from the original on April 21, 2016. Retrieved September 30, 2016.
^ "About System Integrity Protection on your Mac". Apple Support. May 30, 2016. Archived from the original on March 20, 2016. Retrieved September 30, 2016.
^ "What's New In OS X - OS X El Capitan v10.11". Mac Developer Library. Apple. Archived from the original on March 4, 2016. Retrieved September 30, 2016. Code injection and runtime attachments to system binaries are no longer permitted.
^ "Kernel Extensions". Mac Developer Library. Apple. September 16, 2015. Archived from the original on August 17, 2016. Retrieved September 29, 2016.
^ "Trim in Yosemite". Cindori. Retrieved June 18, 2015.
^ Walton, Jeffrey (March 28, 2020). "Nettle 3.5.1 and OS X 10.12 patch". nettle-bugs (Mailing list). Archived from the original on July 14, 2020. Retrieved 13 July 2020.
^ ^a ^b "How to Check if System Integrity Protection (SIP) is Enabled on Mac". OS X Daily. August 1, 2018. Retrieved March 6, 2021.
^ "OS X El Capitan Developer Beta 2 Release Notes". Mac Developer Library. Apple. June 22, 2015. At section Notes and Known Issues. Archived from the original on June 26, 2015. Retrieved June 29, 2015.
^ Fleishman, Glenn (July 15, 2015). "Private I: El Capitan's System Integrity Protection will shift utilities' functions". Macworld. Retrieved July 22, 2015.

External links[edit]

System Integrity Protection Guide in Apple's Mac Developer Library

[:2-1] Cunningham, Andrew; Hutchinson, Lee (September 29, 2015). "OS X 10.11 El Capitan: The Ars Technica Review—System Integrity Protection". Ars Technica. Retrieved September 29, 2015.

[:0-2] Cunningham, Andrew (June 17, 2015). "First look: OS X El Capitan brings a little Snow Leopard to Yosemite". Ars Technica. Retrieved June 18, 2015.

[3] Slivka, Eric (June 12, 2015). "OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance". MacRumors. Retrieved June 18, 2015.

[:1-4] Martel, Pierre-Olivier (June 2015). "Security and Your Apps" (PDF). Apple Developer. pp. 8–54. Archived (PDF) from the original on April 23, 2016. Retrieved September 30, 2016.

[5] "Configuring System Integrity Protection". Mac Developer Library. Apple. September 16, 2015. Archived from the original on August 17, 2016. Retrieved September 30, 2016.

[6] Garfinkel, Simon; Spafford, Gene; Schwartz, Alan (2003). Practical UNIX and Internet Security. O'Reilly Media. pp. 118–9. ISBN 9780596003234.

[7] "About the screens you see when your Mac starts up". Apple Support. August 13, 2015. Archived from the original on April 21, 2016. Retrieved September 30, 2016.

[8] "About System Integrity Protection on your Mac". Apple Support. May 30, 2016. Archived from the original on March 20, 2016. Retrieved September 30, 2016.

[9] "What's New In OS X - OS X El Capitan v10.11". Mac Developer Library. Apple. Archived from the original on March 4, 2016. Retrieved September 30, 2016. Code injection and runtime attachments to system binaries are no longer permitted.

[10] "Kernel Extensions". Mac Developer Library. Apple. September 16, 2015. Archived from the original on August 17, 2016. Retrieved September 29, 2016.

[11] "Trim in Yosemite". Cindori. Retrieved June 18, 2015.

[12] Walton, Jeffrey (March 28, 2020). "Nettle 3.5.1 and OS X 10.12 patch". nettle-bugs (Mailing list). Archived from the original on July 14, 2020. Retrieved 13 July 2020.

[osx_daily-13] "How to Check if System Integrity Protection (SIP) is Enabled on Mac". OS X Daily. August 1, 2018. Retrieved March 6, 2021.

[14] "OS X El Capitan Developer Beta 2 Release Notes". Mac Developer Library. Apple. June 22, 2015. At section Notes and Known Issues. Archived from the original on June 26, 2015. Retrieved June 29, 2015.

[15] Fleishman, Glenn (July 15, 2015). "Private I: El Capitan's System Integrity Protection will shift utilities' functions". Macworld. Retrieved July 22, 2015.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

@@ Line 1: / Line 1: @@
+{{short description|Security feature by Apple}}
 {{Infobox software
-| name =
+| name  =
-| screenshot = OS X security layers.svg
+| screenshot  = OS X security layers.svg
-| caption = Security layers present in macOS.
+| caption  = Security layers present in macOS
-| developer = [[Apple Inc.]]
+| developer  = [[Apple Inc.]]
+| released = {{start date and age|2015|9|16}}
-| status = Active
-| operating system = [[macOS]]
+| operating system  = [[macOS]]
+| included with = [[OS X El Capitan]] (OS X 10.11) and later
+| genre = [[Computer security software]]
+| website = {{url|https://developer.apple.com/library/archive/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html}}
 }}
-'''System Integrity Protection''' ('''SIP''',<ref name=":2">{{Cite web|url = http://arstechnica.com/apple/2015/09/os-x-10-11-el-capitan-the-ars-technica-review/|title = OS X 10.11 El Capitan: The Ars Technica Review|date = September 29, 2015|accessdate = September 29, 2015|website = [[Ars Technica]]|last = Cunningham|first = Andrew|last2 = Hutchinson|first2 = Lee}}</ref> sometimes referred to as '''rootless'''<ref name=":0">{{Cite web|url = http://arstechnica.com/apple/2015/06/preview-os-x-el-capitans-first-beta-is-a-promising-heap-of-refinements/4/#h1|title = First look: OS X El Capitan brings a little Snow Leopard to Yosemite|date = June 17, 2015|accessdate = June 18, 2015|website = Ars Technica|last = Cunningham|first = Andrew}}</ref><ref>{{Cite web|url = http://www.macrumors.com/2015/06/12/os-x-el-capitan-trim-support/|title = OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance|date = June 12, 2015|accessdate = June 18, 2015|website = [[MacRumors]]|last = Slivka|first = Eric}}</ref>) is a security feature of the [[macOS]] [[operating system]] by [[Apple Inc.|Apple]]. It comprises a number of mechanisms that are enforced by the [[Darwin (operating system)|kernel]]. A centerpiece is the protection of system-owned [[system file|files]] and [[System folder|directories]] against modifications by processes without a specific "entitlement", even when executed by the [[root user]] or a user with root privileges ([[sudo]]).
+'''System Integrity Protection''' ('''SIP''',<ref name=":2">{{Cite web|url = https://arstechnica.com/gadgets/2015/09/os-x-10-11-el-capitan-the-ars-technica-review/8/#h1 |title = OS X 10.11 El Capitan: The Ars Technica Review—System Integrity Protection|date = September 29, 2015|access-date = September 29, 2015|website = [[Ars Technica]]|last = Cunningham|first = Andrew|last2 = Hutchinson|first2 = Lee}}</ref> sometimes referred to as '''rootless'''<ref name=":0">{{Cite web|url = https://arstechnica.com/apple/2015/06/preview-os-x-el-capitans-first-beta-is-a-promising-heap-of-refinements/4/#h1|title = First look: OS X El Capitan brings a little Snow Leopard to Yosemite|date = June 17, 2015|access-date = June 18, 2015|website = Ars Technica|last = Cunningham|first = Andrew}}</ref><ref>{{Cite web|url = http://www.macrumors.com/2015/06/12/os-x-el-capitan-trim-support/|title = OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance|date = June 12, 2015|access-date = June 18, 2015|website = [[MacRumors]]|last = Slivka|first = Eric}}</ref>) is a security feature of [[Apple Inc.|Apple]]'s [[macOS]] [[operating system]] introduced in [[OS X El Capitan]] (2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the [[Kernel (operating system)|kernel]]. A centerpiece is the protection of system-owned [[system file|files]] and [[System folder|directories]] against modifications by processes without a specific "entitlement", even when executed by the [[root user]] or a user with [[root privileges]] ([[sudo]]).
-Apple says that the root user can be a significant [[risk factor]] to the system's security, especially on systems with a single [[User (computing)|user account]] on which that user is also the administrator. System Integrity Protection is enabled by default, but can be disabled.<ref name=":1">{{Cite web|url=http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf|title=Security and Your Apps|last=Martel|first=Pierre-Olivier|date=June 2015|website=[[Apple Developer]]|pages=8–54|format=PDF|archive-url=https://web.archive.org/web/20160423080251/http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf|archive-date=April 23, 2016|dead-url=no|accessdate=September 30, 2016}}</ref><ref>{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html|title=Configuring System Integrity Protection|date=September 16, 2015|website=Mac Developer Library|publisher=[[Apple Inc.|Apple]]|archive-url=https://web.archive.org/web/20160817140027/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html|archive-date=August 17, 2016|dead-url=no|accessdate=September 30, 2016}}</ref> It was added in [[OS X El Capitan]].
+Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single [[User (computing)|user account]] on which that user is also the administrator. SIP is enabled by default, but can be disabled.<ref name=":1">{{Cite web|url=http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf|title=Security and Your Apps|last=Martel|first=Pierre-Olivier|date=June 2015|website=[[Apple Developer]]|pages=8–54|format=PDF|archive-url=https://web.archive.org/web/20160423080251/http://devstreaming.apple.com/videos/wwdc/2015/706nu20qkag/706/706_security_and_your_apps.pdf|archive-date=April 23, 2016|url-status=live|access-date=September 30, 2016}}</ref><ref>{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html|title=Configuring System Integrity Protection|date=September 16, 2015|website=Mac Developer Library|publisher=[[Apple Inc.|Apple]]|archive-url=https://web.archive.org/web/20160817140027/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/ConfiguringSystemIntegrityProtection/ConfiguringSystemIntegrityProtection.html|archive-date=August 17, 2016|url-status=live|access-date=September 30, 2016}}</ref>
 ==Justification==
-Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the [[Apple Worldwide Developers Conference|WWDC]] developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted root access as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or [[Vulnerability (computing)|vulnerability]] away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised.<ref name=":1" /> Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to [[Mac OS X Leopard]] enforce {{Nowrap|level 1}} of [[securelevel]], a security feature that originates in [[Berkeley Software Distribution|BSD]] and its derivatives upon which macOS is partially based.<ref>{{Cite book|title = Practical UNIX and Internet Security|last = Garfinkel|first = Simon|publisher = [[O'Reilly Media]]|date = 2003|isbn = 9780596003234|pages = 118–9|last2 = Spafford|first2 = Gene|last3 = Schwartz|first3 = Alan|author-link2 = Gene Spafford}}</ref>
+Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the [[WWDC]] developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted [[root access]] as one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or [[Vulnerability (computing)|vulnerability]] away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account password – which Martel says is often weak or non-existent – the security of the entire system is potentially compromised.<ref name=":1" /> Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to [[Mac OS X Leopard]] enforce {{Nowrap|level 1}} of [[securelevel]], a security feature that originates in [[Berkeley Software Distribution|BSD]] and its derivatives upon which macOS is partially based.<ref>{{Cite book|title = Practical UNIX and Internet Security|last = Garfinkel|first = Simon|publisher = [[O'Reilly Media]]|date = 2003|isbn = 9780596003234|pages = 118–9|last2 = Spafford|first2 = Gene|last3 = Schwartz|first3 = Alan|author-link2 = Gene Spafford}}</ref>
 == Functions ==
-[[File:MacOS prohibitory symbol.svg|alt=Prohibited sign that is shown during the boot process when the system is not allowed to proceed.|thumb|The "[[No symbol|prohibitory symbol]]"<ref>{{Cite web|url=https://support.apple.com/HT204156|title=About the screens you see when your Mac starts up|date=August 13, 2015|website=Apple Support|archive-url=https://web.archive.org/web/20160421225308/https://support.apple.com/en-us/HT204156|archive-date=April 21, 2016|dead-url=no|access-date=September 30, 2016}}</ref> is shown when macOS is not allowed to complete the [[Booting|boot process]]. This can happen when "kext signing" is enabled and the user installed an unsigned [[Loadable kernel module|kernel extension]].]]
+[[File:MacOS prohibitory symbol.svg|alt=Prohibited sign (a circle with a single line crossing through it) that is shown during the boot process when the system is not allowed to proceed.|thumb|The "[[No symbol|prohibitory symbol]]"<ref>{{Cite web|url=https://support.apple.com/HT204156|title=About the screens you see when your Mac starts up|date=August 13, 2015|website=Apple Support|archive-url=https://web.archive.org/web/20160421225308/https://support.apple.com/en-us/HT204156|archive-date=April 21, 2016|url-status=live|access-date=September 30, 2016}}</ref> is shown when macOS is not allowed to complete the [[Booting|boot process]]. This can happen when "kext signing" is enabled and the user installed an unsigned [[Loadable kernel module|kernel extension]].]]
 System Integrity Protection comprises the following mechanisms:
-* protection of contents and [[File system permissions|file-system permissions]] of system files and directories;
+* Protection of contents and [[File system permissions|file-system permissions]] of system files and directories;
-* protection of processes against [[code injection]], runtime attachment (like [[debugging]]) and [[DTrace]];
+* Protection of processes against [[code injection]], runtime attachment (like [[debugging]]) and [[DTrace]];
-* protection against unsigned [[Loadable kernel module|kernel extensions]] ("kexts").
+* Protection against unsigned [[Loadable kernel module|kernel extensions]] ("kexts").
-System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an [[Extended file attributes|extended file attribute]] to a file or directory, by adding the file or directory to <tt>/System/Library/Security/rootless.conf</tt> or both. Among the protected directories are: [[System folder|<tt>/System</tt>]], <tt>/bin</tt>, <tt>/sbin</tt>, <tt>/usr</tt> (but not <tt>/usr/local</tt>).<ref>{{Cite web|url=https://support.apple.com/HT204899|title=About System Integrity Protection on your Mac|date=May 30, 2016|website=Apple Support|archive-url=https://web.archive.org/web/20160320071718/https://support.apple.com/en-us/HT204899|archive-date=March 20, 2016|dead-url=no|accessdate=September 30, 2016}}</ref> The symbolic links from <tt>/etc</tt>, <tt>/tmp</tt> and <tt>/var</tt> to <tt>/private/etc</tt>, <tt>/private/tmp</tt> and <tt>/private/var</tt> are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in <tt>/Applications</tt> are protected as well.<ref name=":2" /> The [[Darwin (operating system)|kernel]] stops all processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected [[Executable|executables]].<ref>{{cite web|url=https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html|title=What's New In OS X - OS X El Capitan v10.11|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160304111549/https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html|archive-date=March 4, 2016|dead-url=no|access-date=September 30, 2016|quote=Code injection and runtime attachments to system binaries are no longer permitted.}}</ref>
+System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an [[Extended file attributes|extended file attribute]] to a file or directory, by adding the file or directory to {{code|/System/Library/Sandbox/rootless.conf}} or both. Among the protected directories are: [[System folder|{{code|/System}}]], {{code|/bin}}, {{code|/sbin}}, {{code|/usr}} (but not {{code|/usr/local}}).<ref>{{Cite web|url=https://support.apple.com/HT204899|title=About System Integrity Protection on your Mac|date=May 30, 2016|website=Apple Support|archive-url=https://web.archive.org/web/20160320071718/https://support.apple.com/en-us/HT204899|archive-date=March 20, 2016|url-status=live|access-date=September 30, 2016}}</ref> The symbolic links from {{code|/etc}}, {{code|/tmp}} and {{code|/var}} to {{code|/private/etc}}, {{code|/private/tmp}} and {{code|/private/var}} are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in {{code|/Applications}} are protected as well.<ref name=":2" /> The [[Kernel (operating system)|kernel]], [[XNU]], prevents processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected [[Executable|executables]].<ref>{{cite web|url=https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html|title=What's New In OS X - OS X El Capitan v10.11|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160304111549/https://developer.apple.com/library/prerelease/mac/releasenotes/MacOSX/WhatsNewInOSX/Articles/MacOSX10_11.html|archive-date=March 4, 2016|url-status=live|access-date=September 30, 2016|quote=Code injection and runtime attachments to system binaries are no longer permitted.}}</ref>
-Since [[OS X Yosemite]], kernel extensions, such as [[Device driver|drivers]], have to be [[Code signing|code-signed]] with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.<ref>{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|title=Kernel Extensions|date=September 16, 2015|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160817085001/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|archive-date=August 17, 2016|dead-url=no|access-date=September 29, 2016}}</ref> The kernel refuses to [[Booting|boot]] if unsigned extensions are present, showing the user a [[No symbol|prohibition sign]] instead. This mechanism, called "kext signing" was integrated into System Integrity Protection.<ref name=":1" /><ref>{{Cite web|url = https://www.cindori.org/trim-enabler-and-yosemite/|title = Trim in Yosemite|accessdate = June 18, 2015|website = Cindori}}</ref>
+Since [[OS X Yosemite]], kernel extensions, such as [[Device driver|drivers]], have to be [[Code signing|code-signed]] with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple.<ref>{{Cite web|url=https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|title=Kernel Extensions|date=September 16, 2015|website=Mac Developer Library|publisher=Apple|archive-url=https://web.archive.org/web/20160817085001/https://developer.apple.com/library/mac/documentation/Security/Conceptual/System_Integrity_Protection_Guide/KernelExtensions/KernelExtensions.html|archive-date=August 17, 2016|url-status=live|access-date=September 29, 2016}}</ref> The kernel refuses to [[Booting|boot]] if unsigned extensions are present, showing the user a [[No symbol|prohibition sign]] instead. This mechanism, called "kext signing", was integrated into System Integrity Protection.<ref name=":1" /><ref>{{Cite web|url = https://www.cindori.org/trim-enabler-and-yosemite/|title = Trim in Yosemite|access-date = June 18, 2015|website = Cindori}}</ref>
+System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize {{mono|LD_LIBRARY_PATH}} and {{mono|DYLD_LIBRARY_PATH}} before calling a system program like {{mono|/bin/bash}} to avoid code injections into the Bash process.<ref>{{cite mailing list |url=https://lists.lysator.liu.se/pipermail/nettle-bugs/2020/008860.html | title=Nettle 3.5.1 and OS X 10.12 patch |date=March 28, 2020 |access-date=13 July 2020 |mailing-list=nettle-bugs |last=Walton |first=Jeffrey |archive-url=https://web.archive.org/web/20200714071608/https://lists.lysator.liu.se/pipermail/nettle-bugs/2020/008860.html |archive-date=July 14, 2020 |url-status=dead}}</ref>
 == Configuration ==
+The directories protected by SIP by default include:<ref name="osx_daily">{{cite web |title=How to Check if System Integrity Protection (SIP) is Enabled on Mac |url=https://osxdaily.com/2018/08/01/check-system-integrity-protection-sip-status-mac/ |author=<!-- staff --> |publisher=[[OS X Daily]] |date=August 1, 2018 |access-date=March 6, 2021}}</ref>
-System Integrity Protection can only be disabled (either wholly or partly) from outside of the system partition. To that end, Apple provides the <tt>csrutil</tt> [[Console application|command-line utility]] which can be executed from a [[Terminal (OS X)|Terminal]] window within the [[recovery system]] or a bootable macOS installation disk, which adds a boot argument to the device's [[Non-volatile random-access memory|NVRAM]]. This applies the setting to all of the installations of El Capitan or macOS Sierra on the device.<ref name=":1" /> Upon installation of macOS, the installer moves any unknown components within flagged system directories to <tt>/Library/SystemMigration/History/Migration-''[some UUID]''/QuarantineRoot/</tt>.<ref name=":2" /><ref name=":1" /> By preventing write access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, [[Repair permissions|permissions repair]] is not available in [[Disk Utility]]<ref>{{Cite web|url=https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html|title=OS X El Capitan Developer Beta 2 Release Notes|date=June 22, 2015|website=Mac Developer Library|publisher=Apple|at=At section Notes and Known Issues.|archive-url=https://web.archive.org/web/20150626162444/https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html|archive-date=June 26, 2016|dead-url=no|accessdate=June 29, 2015}}</ref> and the corresponding <tt>diskutil</tt> operation.
+* <code>/System</code>
+* <code>/sbin</code>
+* <code>/bin</code>
+* <code>/usr</code>
+* <code>/Applications</code>
+<code>/usr</code> is protected with the exception of <code>/usr/local</code> subdirectory. <code>/Applications</code> is protected for apps that are pre-installed with Mac OS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes.<ref name="osx_daily" />
+System Integrity Protection can only be disabled (either wholly or partly) from outside of the [[System partition and boot partition|system partition]]. To that end, Apple provides the {{code|csrutil}} [[Console application|command-line utility]] which can be executed from a [[Terminal (macOS)|Terminal]] window within the [[recovery system]] or a bootable macOS installation disk, which adds a boot argument to the device's [[Non-volatile random-access memory|NVRAM]]. This applies the setting to all of the installations of El Capitan or [[macOS Sierra]] on the device.<ref name=":1" /> Upon installation of macOS, the installer moves any unknown components within flagged system directories to {{code|/Library/SystemMigration/History/Migration-[UUID]/QuarantineRoot/}}.<ref name=":2" /><ref name=":1" /> By preventing [[write access]] to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result, [[Repair permissions|permissions repair]] is not available in [[Disk Utility]]<ref>{{Cite web|url=https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html|title=OS X El Capitan Developer Beta 2 Release Notes|date=June 22, 2015|website=Mac Developer Library|publisher=Apple|at=At section Notes and Known Issues.|archive-url=https://web.archive.org/web/20150626162444/https://developer.apple.com/library/prerelease/mac/releasenotes/General/rn-osx-10.11/index.html|archive-date=June 26, 2015|url-status=live|access-date=June 29, 2015}}</ref> and the corresponding {{code|diskutil}} operation.
 == Reception ==
-Reception of System Integrity Protection has been mixed. ''[[Macworld]]'' expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's [[mobile operating system]] [[iOS]], whereupon the installation of many utilities and modifications requires [[iOS jailbreaking|jailbreaking]].<ref name=":0" /><ref>{{Cite web|url = http://www.macworld.com/article/2948140/os-x/private-i-el-capitans-system-integrity-protection-will-shift-utilities-functions.html|title = Private I: El Capitan's System Integrity Protection will shift utilities' functions|date = July 15, 2015|accessdate = July 22, 2015|website = [[Macworld]]|last = Fleishman|first = Glenn}}</ref> Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. ''[[Ars Technica]]'' suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including [[power user]]s, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.<ref name=":2" />
+Reception of System Integrity Protection has been mixed. ''[[Macworld]]'' expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's [[mobile operating system]] [[iOS]], whereupon the installation of many utilities and modifications requires [[iOS jailbreaking|jailbreaking]].<ref name=":0" /><ref>{{Cite web|url = http://www.macworld.com/article/2948140/os-x/private-i-el-capitans-system-integrity-protection-will-shift-utilities-functions.html|title = Private I: El Capitan's System Integrity Protection will shift utilities' functions|date = July 15, 2015|access-date = July 22, 2015|website = [[Macworld]]|last = Fleishman|first = Glenn}}</ref> Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. ''[[Ars Technica]]'' suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including [[power user]]s, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.<ref name=":2" />
 == See also ==
-{{div col | cols=2}}
+{{div col }}
 * [[AppArmor]]
 * [[Computer security]]
@@ Line 49: / Line 65: @@
 * {{Official website|https://developer.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html|System Integrity Protection Guide in Apple's Mac Developer Library}}
-{{OS X}}
+{{macOS}}
-[[Category:OS X security software]]
+[[Category:MacOS security technology]]
-[[Category:2015 software]]