jaymonkey
Moderator
- Joined
- Aug 27, 2011
- Messages
- 4,080
- Motherboard
- GB Z490 Vision D
- CPU
- i9-10850K OC @ 5.2 GHz
- Graphics
- RX6800-XT+UHD630
- Mac
- Mobile Phone
Do you know if some elements of SIP can be turned on/off for a specific executable?
@exquirentibus,
The SIP level for MacOS must be set prior to booting the OS and once set the current level of SIP is global.
Once MacOS is booted the level of SIP can not be changed without rebooting.
On a genuine Mac you need to boot into Recovery and run the "CSRUTIL" command in Terminal which will set the protected system variable "csr-active-config" in NVRAM.
We don't need to do that on a Hackintosh as you can dynamically experiment with SIP using Clover's "Options" Menu :-
Each SIP element is a Bit Mask value, in the above config we add the Bit Mask values together :-
Code:
1 + 2 + 4 + 32 + 64 = 103 which we then convert to Hex = 0x67
You can premaritally configure the level of SIP on a Hackintosh by setting the parameter "CsrActiveConfig" in the "RtVariables" section of Clover's config.plist :-
Code:
<key>RtVariables</key>
<dict>
<key>BooterConfig</key>
<string>0x28</string>
<key>CsrActiveConfig</key>
<string>0x67</string>
</dict>
The current SIP levels have been derived by examining the MacOS source code :-
xnu/bsd/sys/csr.h at master · opensource-apple/xnu
The Darwin Kernel (mirror). Contribute to opensource-apple/xnu development by creating an account on GitHub.
github.com
The important section of code is :-
Code:
#define CSR_VALID_FLAGS (CSR_ALLOW_UNTRUSTED_KEXTS | \
CSR_ALLOW_UNRESTRICTED_FS | \
CSR_ALLOW_TASK_FOR_PID | \
CSR_ALLOW_KERNEL_DEBUGGER | \
CSR_ALLOW_APPLE_INTERNAL | \
CSR_ALLOW_UNRESTRICTED_DTRACE | \
CSR_ALLOW_UNRESTRICTED_NVRAM | \
CSR_ALLOW_DEVICE_CONFIGURATION | \
CSR_ALLOW_ANY_RECOVERY_OS | \
CSR_ALLOW_UNAPPROVED_KEXTS)
Most guides recommend setting "CsrActiveConfig" to 0x67 and "BooterConfig" to 0x28 which works for most users.
If you search the forums you'll find many posts discussing the pros and cons of disabling SIP and to what level. A lot of users believe (incorrectly) that setting "CsrActiveConfig" to 0x67 completely disables SIP but as you can see from the above Clover screen shot and source code that it is not the case.
I expect that if/when notarization becomes mandatory a new SIP bit mask value will be added to disable it.
"csr-active-config" is stored as a 64 bit word in NVRAM so there are plenty of Bit Mask levels left to use.
Cheers
Jay
Last edited: