System Integrity Protection (SIP,
sometimes referred to as rootless
) is a security feature of
Apple
An apple is a round, edible fruit produced by an apple tree (''Malus'' spp.). Fruit trees of the orchard or domestic apple (''Malus domestica''), the most widely grown in the genus, are agriculture, cultivated worldwide. The tree originated ...
's
macOS
macOS, previously OS X and originally Mac OS X, is a Unix, Unix-based operating system developed and marketed by Apple Inc., Apple since 2001. It is the current operating system for Apple's Mac (computer), Mac computers. With ...
operating system
An operating system (OS) is system software that manages computer hardware and software resources, and provides common daemon (computing), services for computer programs.
Time-sharing operating systems scheduler (computing), schedule tasks for ...
introduced in
OS X El Capitan
OS X El Capitan ( ) () is the twelfth major release of macOS (named OS X at the time of El Capitan's release), Apple Inc.'s desktop and server operating system for Macintosh. It focuses mainly on performance, stability, and security. Followi ...
(2015) (OS X 10.11). It comprises a number of mechanisms that are enforced by the
kernel. A centerpiece is the protection of system-owned
files and
directories against modifications by processes without a specific "entitlement", even when executed by the
root user
In computing, the superuser is a special user account used for system administration. Depending on the operating system (OS), the actual name of this account might be root, administrator, admin or supervisor. In some cases, the actual name of the ...
or a user with
root privileges (
sudo
() is a shell (computing), shell command (computing), command on Unix-like operating systems that enables a user to run a program with the security privileges of another user, by default the superuser. It originally stood for "superuser do", a ...
).
Apple says that the root user can be a significant risk to the system's security, especially on a system with a single
user account
A user is a person who uses a computer or network service.
A user often has a user account and is identified to the system by a username (or user name).
Some software products provide services to other systems and have no direct end use ...
on which that user is also the administrator. SIP is enabled by default but can be disabled.
Justification
Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the
WWDC
The Worldwide Developers Conference (WWDC) is an information technology conference held annually by Apple Inc. The conference is currently held at Apple Park in California. The event is used to showcase new software and technologies in the macO ...
developer sessions, Apple engineer Pierre-Olivier Martel described unrestricted
root access as one of the remaining weaknesses of the system, saying that "
nypiece of malware is one password or
vulnerability
Vulnerability refers to "the quality or state of being exposed to the possibility of being attacked or harmed, either physically or emotionally." The understanding of social and environmental vulnerability, as a methodological approach, involves ...
away from taking full control of the device". He stated that most installations of macOS have only one user account that necessarily carries administrative credentials with it, which means that most users can grant root access to any program that asks for it. Whenever a user on such a system is prompted and enters their account passwordwhich Martel says is often weak or non-existentthe security of the entire system is potentially compromised.
Restricting the power of root is not unprecedented on macOS. For instance, versions of macOS prior to
Mac OS X Leopard
Mac OS X Leopard (version 10.5) is the sixth software versioning, major release of macOS, Apple Inc., Apple's desktop and server operating system for Macintosh computers. Leopard was released on October 26, 2007, as the successor of Mac OS X Ti ...
enforce of
securelevel, a security feature that originates in
BSD
The Berkeley Software Distribution (BSD), also known as Berkeley Unix or BSD Unix, is a discontinued Unix operating system developed and distributed by the Computer Systems Research Group (CSRG) at the University of California, Berkeley, beginni ...
and its derivatives upon which macOS is partially based.
Functions

System Integrity Protection comprises the following mechanisms:
* Protection of contents and
file-system permissions
Typically, a file system maintains permission settings for each stored item commonly computer file, files and directory (computer), directories that either grant or deny the ability to manipulate file system items. Often the settings allow cont ...
of system files and directories;
* Protection of processes against
code injection
Code injection is a computer security exploit where a program fails to correctly process external data, such as user input, causing it to interpret the data as executable commands. An attacker using this method "injects" code into the program whi ...
, runtime attachment (like
debugging
In engineering, debugging is the process of finding the Root cause analysis, root cause, workarounds, and possible fixes for bug (engineering), bugs.
For software, debugging tactics can involve interactive debugging, control flow analysis, Logf ...
) and
DTrace
DTrace is a comprehensive dynamic tracing framework originally created by Sun Microsystems for troubleshooting kernel and application problems on production systems in real time.
Originally developed for Solaris, it has since been released un ...
;
* Protection against unsigned
kernel extensions ("kexts").
System Integrity Protection protects system files and directories that are flagged for protection. This happens either by adding an
extended file attribute to a file or directory, by adding the file or directory to or both. Among the protected directories are:
, , , (but not ). The symbolic links from , and to , and are also protected, although the target directories are not themselves protected. Most preinstalled Apple applications in are protected as well.
The
kernel,
XNU
XNU ("X is Not Unix") is the computer operating system (OS) kernel developed at Apple Inc. since December 1996 for use in the Mac OS X (now macOS) operating system and released as free and open-source software as part of the Darwin OS, which, ...
, prevents processes without specific entitlements from modifying the permissions and contents of flagged files and directories and also prevents code injection, runtime attachment and DTrace with respect to protected
executables.
Since
OS X Yosemite
OS X Yosemite ( ; version 10.10) is the eleventh major release of macOS, Apple Inc.'s desktop and server operating system for Macintosh computers.
OS X Yosemite was announced and released to developers on June 2, 2014, at WWDC 2014 and re ...
, kernel extensions, such as
drivers, have to be
code-signed with a particular Apple entitlement. Developers have to request a developer ID with such an entitlement from Apple. The kernel refuses to
boot
A boot is a type of footwear. Most boots mainly cover the foot and the ankle, while some also cover some part of the lower calf. Some boots extend up the leg, sometimes as far as the knee or even the hip. Most boots have a heel that is clearl ...
if unsigned extensions are present, showing the user a
prohibition sign instead. This mechanism, called "kext signing", was integrated into System Integrity Protection.
System Integrity Protection will also sanitize certain environmental variables when calling system programs when SIP is in effect. For example, SIP will sanitize and before calling a system program like to avoid code injections into the Bash process.
Configuration
The directories protected by SIP by default include:
*
/System
*
/sbin
*
/bin
*
/usr
*
/Applications
/usr
is protected with the exception of
/usr/local
subdirectory.
/Applications
is protected for apps that are pre-installed with macOS, such as Calendar, Photos, Safari, Terminal, Console, App Store, and Notes.
System Integrity Protection can only be disabled (either wholly or partly) from outside of the
system partition. To that end, Apple provides the
command-line utility which can be executed from a
Terminal window within the
recovery system or a bootable macOS installation disk, which adds a boot argument to the device's
NVRAM. This applies the setting to all of the installations of El Capitan or
macOS Sierra
macOS Sierra (version 10.12) is the thirteenth major release of macOS (formerly known as and ), Apple Inc.'s desktop and server operating system for Macintosh computers. The name "macOS" stems from the intention to unify the operating syst ...
on the device.
Upon installation of macOS, the installer moves any unknown components within flagged system directories to .
By preventing
write access to system directories, the system file and directory permissions are maintained automatically during Apple software updates. As a result,
permissions repair is not available in
Disk Utility
A disk utility is a utility software, utility program that allows a user to perform various functions on a computer disk, such as disk partitioning and logical volume management, as well as multiple smaller tasks such as changing drive letters an ...
and the corresponding operation.
Reception
Reception of System Integrity Protection has been mixed. ''
Macworld
''Macworld'' is a digital magazine and website dedicated to products and software of Apple Inc., published by Foundry, a subsidiary of IDG.
History
''Macworld'' was founded by David Bunnell and Cheryl Woodard (publishers) and Andrew Fl ...
'' expressed the concern that Apple could take full control away from users and developers in future releases and move the security policy of macOS slowly toward that of Apple's
mobile operating system
A mobile operating system is an operating system used for smartphones, tablets, smartwatches, smartglasses, or other non-laptop personal mobile computing devices. While computers such as laptops are "mobile", the operating systems used on the ...
iOS
Ios, Io or Nio (, ; ; locally Nios, Νιός) is a Greek island in the Cyclades group in the Aegean Sea. Ios is a hilly island with cliffs down to the sea on most sides. It is situated halfway between Naxos and Santorini. It is about long an ...
, whereupon the installation of many utilities and modifications requires
jailbreaking.
Some applications and drivers will not work to their full extent or cannot be operated at all unless the feature is disabled, either temporarily or permanently. ''
Ars Technica
''Ars Technica'' is a website covering news and opinions in technology, science, politics, and society, created by Ken Fisher and Jon Stokes in 1998. It publishes news, reviews, and guides on issues such as computer hardware and software, sci ...
'' suggested that this could affect smaller developers disproportionately, as larger ones may be able to work with Apple directly. However, they also remarked that by far most users, including
power user
A power user is a user of computers, software and other electronic devices who uses advanced features of computer hardware, operating systems, programs, or websites which are not used by the average user. A power user might not have extensive tech ...
s, will not have a reason to turn the feature off, saying that there are "almost no downsides" to it.
See also
*
AppArmor
*
Computer security
Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...
*
Security-Enhanced Linux
Security-Enhanced Linux (SELinux) is a Linux kernel security module that provides a mechanism for supporting access control security policies, including mandatory access controls (MAC).
SELinux is a set of kernel modifications and user-space to ...
(SELinux)
*
Social engineering (security)
In the context of information security, social engineering is the use of psychological influence of people into performing actions or divulging Confidentiality, confidential information. This differs from psychological manipulation in that it doe ...
*
Trusted Computing
Trusted Computing (TC) is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning that is distinct from the field of confidential computing. With Trust ...
*
Trusted Solaris
*
User Account Control
User Account Control (UAC) is a mandatory access control enforcement feature introduced with Microsoft's Windows Vista and Windows Server 2008 operating systems, with a more relaxed
*
User Interface Privilege Isolation
*
Windows File Protection
References
External links
*
{{macOS
MacOS security technology