关闭 OSX 10.11 SIP (System Integrity Protection) 功能
Apple 从 10.9 开始导入kext需要签名认证后,在10.10全面启用此功能,每项置入/System/Library/Extersions/中的kext必需要经过签名认证系统才会启用此功能,然而在10.11时另外追加了System Integrity Protection (SIP)功能来保护系统档案及kext驱动避免被修改,即使是root权限也无法更改已经被系统设定的项目。
要了解被锁定的项目可以查询:
cat /System/Library/Sandbox/rootless.conf
10.10只有少许的项目:
/System * /System/Library/Caches booter /System/Library/CoreServices * /System/Library/Extensions /System/Library/Extensions/* UpdateSettings /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist * /System/Library/User Template /bin /sbin /usr * /usr/local # symlinks /etc /tmp /var
10.11已经加入更多root无法修改的项目:
/Applications/App Store.app /Applications/Automator.app /Applications/Calculator.app /Applications/Calendar.app /Applications/Chess.app /Applications/Contacts.app /Applications/Dashboard.app /Applications/Dictionary.app /Applications/DVD Player.app /Applications/FaceTime.app /Applications/Font Book.app /Applications/Game Center.app /Applications/Image Capture.app /Applications/Launchpad.app /Applications/Mail.app /Applications/Maps.app /Applications/Messages.app /Applications/Mission Control.app /Applications/Notes.app /Applications/Photo Booth.app /Applications/Photos.app /Applications/Preview.app /Applications/QuickTime Player.app /Applications/Reminders.app /Applications/Safari.app /Applications/Stickies.app /Applications/System Preferences.app /Applications/TextEdit.app /Applications/Time Machine.app /Applications/Utilities/Activity Monitor.app /Applications/Utilities/AirPort Utility.app /Applications/Utilities/Audio MIDI Setup.app /Applications/Utilities/Bluetooth File Exchange.app /Applications/Utilities/Boot Camp Assistant.app /Applications/Utilities/ColorSync Utility.app /Applications/Utilities/Console.app /Applications/Utilities/Digital Color Meter.app /Applications/Utilities/Disk Utility.app /Applications/Utilities/Feedback Assistant.app /Applications/Utilities/Grab.app /Applications/Utilities/Grapher.app /Applications/Utilities/Keychain Access.app /Applications/Utilities/Migration Assistant.app /Applications/Utilities/Script Editor.app /Applications/Utilities/System Information.app /Applications/Utilities/Terminal.app /Applications/Utilities/VoiceOver Utility.app /Library/Preferences/SystemConfiguration/com.apple.Boot.plist /System * /System/Library/Caches booter /System/Library/CoreServices * /System/Library/CoreServices/Photo Library Migration Utility.app /System/Library/CoreServices/RawCamera.bundle * /System/Library/Extensions /System/Library/Extensions/* UpdateSettings /System/Library/LaunchDaemons/com.apple.UpdateSettings.plist * /System/Library/Speech * /System/Library/User Template /bin dyld /private/var/db/dyld /sbin /usr * /usr/libexec/cups * /usr/local * /usr/share/man # symlinks /etc /tmp /var
因为启动SIP功能,rootless.conf在未关闭时是无法进行修改的。
RecoveryHD
在进行之前必需要确认你能进入Recovery OS
,所以将你的系统重开机后按下Option(alt)
键后进入选择启动磁碟:
看到你的启动磁碟名称有Recovery HD
代表你具有Recovery OS
,如果你未包含此OS,在开机时按下Option(alt) + R
进入网路开机连线至Apple伺服器进行Recovery OS
的安装,详细说明传送门
csrutil
要进行SIP保护的变更需要透过csrutil
工具程式进行修改,必需要经过Recovery OS
开机后进入工具程式
之终端机
执行此命令才有权限进行修改。
此工具程式会将更变的值写入nvarm
之csr-active-config
中,键入csrutil
会出现使用说明:
usage: csrutil <command> Modify the System Integrity Protection configuration. All configuration changes apply to the entire machine. Available commands: clear Clear the existing configuration. Only available in Recovery OS. disable Disable the protection on the machine. Only available in Recovery OS. enable Enable the protection on the machine. Only available in Recovery OS. status Display the current configuration. netboot add <address> Insert a new IPv4 address in the list of allowed NetBoot sources. list Print the list of allowed NetBoot sources. remove <address> Remove an IPv4 address from the list of allowed NetBoot sources.
查看状态执行csutil status
:
System Integrity Protection status: enabled (Custom Configuration).
单单关闭SIP执行sudo csrutil enable --no-internal
:
Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
如果你出现:
csrutil: failed to modify system integrity configuration. This tool needs to be executed from the Recovery OS.
代表你使用的并非Recovery OS
开机,请确定从Recovery OS
开机再执行。
csrutil 进阶指令
如果你只是要细部的关闭某个SIP功能例如关闭kext需要签章功能执行sudo csrutil enable --without kext
:
csrutil: requesting an unsupported configuration. This is likely to break in the future and leave your machine in an unknown state. Successfully enabled System Integrity Protection. Please restart the machine for the changes to take effect.
讯息告知已经将参数写入nvram
中,必需要重新开机参数才会发生作用。
以上例子之外,还有其他设定都是经过enable与without功能来将功能启动与关闭,使用命令语法如下:
csrutil enable [--without kext|fs|debug|dtrace|nvram] [--no-internal]
举个例子:
sudo csrutil enable –without fs:Filesystem Protections disable
sudo csrutil enable –without kext:Kext Signing disable
sudo csrutil enable –without debug:Debugging Restrictions disable
sudo csrutil enable –without nvram:NVRAM Protections disable
sudo csrutil enable –without dtrace:DTrace Restrictions disable
当然也可以多组合:
- sudo csrutil enable –without kext –without fs:Filesystem Protections and Kext Signing are disabled
个人心得:
csrutil设定的结果会存入nvram中的键值csr-active-config
,设定值内容为1byte的值,利用1byt=8bit的关系,将每个bit解释成每个功能的设值值:
B0 | kext |
B1 | fs |
B2 | debug |
B3 | n/a |
B4 | internal |
B5 | dtrace |
B6 | nvram |
B7 | n/a |
其中n/a
值不管设定多少都不会作用,所以有把握的勇者可以直接利用nvram命令去变更csr-active-config
值就可以,像:
nvram csr-active-config=0x13
等同:
sudo csrutil enable --without kext --without fs
参考资料
SIP/Rootless Internal in El Capitan
================ End