macOS System Integrity Protection Configuration

macos security root sip

I was looking to lock down the configuration on some macs, and wanted to know if there is any way to change the files and folders that SIP protects. I know it can be disabled, and its current rules viewed, but is there any way to add your own protected directories?

Thanks


Solution 1:

It is possible to add your own protected directory to SIP:

  • Boot to Recovery Mode and disable SIP
  • Reboot and create a directory structure.

  • Flag the whole folder or single files or folders:

    sudo chflags restricted /example
sudo chflags restricted /example/example.app
sudo chflags restricted /example/subdir/file

    or a folder hierarchy:

    sudo chflags -R restricted /example

    If you want to exclude a subdir after using the -R option you have to remove the restricted flag there:

    sudo chflags norestricted /example/subdir
  • Boot to Recovery Mode and enable SIP

Now the folders example, example.app and the file /example/subdir/file are protected. You still can add or remove files to/from /example/subdir.

The restricted flag has no effect if SIP is disabled - the usual POSIX/ACLs permissions apply. With SIP enabled the files/folders are protected.

It is also possible to add, remove or change SIP-protected files and directories via an installer package which is signed by Apple’s own certificate authority. Since a normal user /customer usually doesn't have access to this certificate authority, this possibility is eliminated.

An earlier version of this answer asserted that it is required to modify the file /System/Library/Sandbox/rootless.conf and add something like:

                                /example
                                /example/example.app
*                               /example/subdir
                                /example/subdir/file

This is wrong! Simply flagging a file or folder as restricted is sufficient to protect it.

Solution 2:

As far as I know, there is no way to modify which directories SIP protects; SIP is either on or off. Apple appears to make no mention to such an ability in their developer documents either.

Disregard this, @kanomath has a better answer. The latter part of my answer still stands to a limited degree.

If you want to lock down configuration files, modify the filesystem permissions either through the Finder GUI or the command line utility chown.

Related

Compare battery life between two (same model) iPhones
Unable to enter Recovery Mode -2006F
Get serial numbers of connected USB devices
Debugging "The Installer encountered an error that caused the installation to fail."?
What software can turn off Wi-Fi automatically when closing lid?
How to find shortcut keys (⌘⌥⇧⌃) in Unicode popover?
Prevent the Siri Watch Face from displaying Photo Memories
Can I connect three monitors and provide power to my MacBook Pro with a single cable?
Who creates utun0 adapter?
XAMPP VM and text editors
Recents not updating with new files in High Sierra
"bash -D" command doesn't seem to do anything useful