Explaining OS X El Capitan Security Changes - Workarounds and Current Information

Walril · Oct 7, 2015

RehabMan said:
Probably not. More to do with driver/kext choice.

Worked fine in Yosemite. A reboot causes it to work fine. Just dies after sleep and wake up. I tried putting it back to sleep and waking back up. NIC didnt get a address. Manually entered it and applied. No internet access. Put it back to DHCP, got a IP. Now I have internet access, but its still showing red in network configuration. Strange. Any clues?

Ill add forcekexttoload to ionetworkingfamily.kext to see if it helps

haze295 · Oct 7, 2015

RehabMan said:
Ethernet kexts, such as AppleIntelE1000e.kext, have a dependency... IONetworkingFamily.kext.

So... it only works when IONetworkingFamily.kext is in the cache. Rebuilding cache puts IONetworkingFamily.kext into the cache, not AppleIntelE1000e.kext. Kexts that are injected are never placed in cache (unless they also exist in /S/L/E, of course).

You can also use ForceKextsToLoad to force IONetworkingFamily.kext to load. I use this so it works at installation/recovery, for example.

Touching on this....

I have my system with SIP enabled, but using ALCCommand for my audio.

This places the RealtekALC.kext in EFI 10.11 Kexts.

I noticed that after a few reboots, my audio stops working and have to rebuild cache (whole process of SIP Disable....Rebuild..Enable). This gets the audio back perfectly however like I said after a couple reboots it's greyed out.

Should I place the RealtekALC.Kext into my SLE and then once I rebuild the cache, this issue should subside?

TIA

Walril · Oct 8, 2015

haze295 said:
Touching on this....

I have my system with SIP enabled, but using ALCCommand for my audio.

This places the RealtekALC.kext in EFI 10.11 Kexts.

I noticed that after a few reboots, my audio stops working and have to rebuild cache (whole process of SIP Disable....Rebuild..Enable). This gets the audio back perfectly however like I said after a couple reboots it's greyed out.

Should I place the RealtekALC.Kext into my SLE and then once I rebuild the cache, this issue should subside?

TIA

Honestly, I would spend <$10 on a USB solution. Never have to worry about audio kexts again. The engineer in me would want to fix it though. I fight that battle myself and just decided my time was worth more than $10

JimmyDerp · Oct 9, 2015

RehabMan said:
You can re-enable SIP, but you have to be careful. Any action that might cause kernel cache to be rebuilt, if done without SIP enabled, will cause kernel cache to be without unsigned kexts that might be sitting in /S/L/E or /L/E. Things that a hack needs to boot... (FakeSMC, etc.).

It is not clear to me all the conditions that may lead to a kernel cache rebuild...

I've been reading up on the new SIP business, trying to educate myself today...

A thought occurred to me, just a question to ponder the possibility of "curing" the kext cache rebuild problem when SIP is enabled - could it be possible to use SIP to protect the kext caches, so they wouldn't be rebuilt unless explicitly allowed?

I thought maybe you could find all the cache locations and list them under that "rootless.conf" file that protects the system apps.
Also I understand this would break any installation procedure that needed a cache rebuild, but if it worked it could be like "hack protection" to keep your custom drivers working.

FWIW, I haven't even tried Yosemite or El Capitan yet - just learning what I can before I break my good system.

Balut · Oct 10, 2015

So I have a question about S/L/E and SIP. I have two Hacks on El Capitan; one was a direct upgrade from Yosemite, and the the other a clean install. I noticed that the System folder was hidden on both. After reading the info on SIP, I figured this was by design. I disabled SIP on my upgraded Hack (0x67), and upon reboot found that the System folder was now visible. Out of curiosity, I reenabled SIP partially (0x3), rebooted and the System folder remained visible. However, using this same procedure on my clean install Hack does not reveal the System folder. I need the System folder visible on that Hack, as I am going to replace the AppleHDA.kext with a modified one for my sound card (ALC662). Any ideas as to why I can't get the System folder to appear on the one Hack? Thanks.

MarcinNull · Oct 11, 2015

Use

Code:

sudo chflags nohidden /System

or

Finder menu > Go > Go To Folder > /System/Library/Extensions

or

KextBeast

rockinkaj · Oct 16, 2015

So do I just change the 3 to a 0 to re enable Sip
in Clover config?
After update
and then change it back when I need to update again? and so forth ?
<key>RtVariables</key>
<dict>
<key>CsrActiveConfig</key>
<string>0x3</string>
<key>BooterConfig</key>
<string>0x28</string>
</dict>

MysticalOS · Oct 16, 2015

Personally. I Just never change it. I leave it at 0x28/0x3 . no kexts installed in S/L/E either though. All in clover EFI partition and injected.

This still more secure than OS X has been in many years even at this setting, and it's not like we had problems in past unless you did something errant. Don't install untrusted unsigned kexts and no issue. As for system file protection. We haven't had it in OS X for years, not like not having it now is going to make the world end all of a sudden. the system doesn't modify itself, be aware of what you install and click on.

Apple Internal: disabled
Kext Signing: disabled
Filesystem Protections: disabled
Debugging Restrictions: enabled
DTrace Restrictions: enabled
NVRAM Protections: enabled

that's just me though. Some swear on having it ALL enabled or the world will end. However, they create the hassle of having to disable it all the time for updates or kext cache rebuilds.

rockinkaj · Oct 16, 2015

Aww thankx so much for reply.. :thumbup:

kaoskinkae · Oct 17, 2015

Captain Libery the hidden folder appears in OS X as I return visible

Search

Explaining OS X El Capitan Security Changes - Workarounds and Current Information

Walril

haze295

Walril

JimmyDerp

Balut

MarcinNull

rockinkaj

MysticalOS

rockinkaj

kaoskinkae

Forum

Guides

Downloads