Jump to content

System Integrity Protection

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by SamJohnston (talk | contribs) at 04:00, 27 September 2015 (Responses: +vmware fusion problems). The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

System Integrity Protection
Developer(s)Apple Inc.
Operating systemOS X
Websitedeveloper.apple.com/library/content/documentation/Security/Conceptual/System_Integrity_Protection_Guide/Introduction/Introduction.html Edit this on Wikidata

System Integrity Protection (sometimes referred to as "rootless"[1][2][3] or "SIP") is a security feature of OS X El Capitan, the upcoming release of the operating system by Apple. It protects certain system processes, files and folders from being modified or tampered with by other processes even when executed by the root user. Apple says that the root user can be a significant risk factor to the system's security, especially on systems with a single user account on which that user is also the administrator. System Integrity Protection is enabled by default, but can be disabled.[4][5]

Functions

System Integrity Protection will apply limitations to all processes on the system, including privileged and unsandboxed ones. In addition, certain system files, folders and processes will be flagged for protection. Among the protected locations are: /System, /bin, /sbin and /usr (but not /usr/local). The kernel then stops all processes without specific privileges from writing to flagged files and folders and will prevent code injection and runtime attachment with respect to flagged processes. Kernel extensions (typically called kexts), such as drivers, cannot be installed without approval from Apple, a feature that was introduced in OS X Yosemite and is known as kext signing.[6] Upon installation of OS X El Capitan, the installer will move any unknown components within protected system locations to the home folder.[4]

System Integrity Protection can be disabled completely by booting into the recovery system and using the csrutil command-line utility in Terminal, where a boot argument will be added to NVRAM. This applies the setting to all installations of El Capitan (and future releases of OS X) on the hardware.[4] By preventing write access to system locations, system file and folder permissions are maintained automatically during Apple software updates. As a result, permissions repair is no longer available in Disk Utility[7] and the corresponding diskutil operation.

Responses

From a security perspective, Apple says that System Integrity Protection is a necessary step to ensure a high level of security. In one of the WWDC developer sessions, Apple engineer Pierre-Olivier Martel considered unrestricted root access to be one of the remaining weaknesses of the system, saying that "[any] piece of malware is one password or vulnerability away from taking full control of the device". He pointed out that most installations of OS X have single user accounts, which means that most users can grant root access to any program that asks for it. Once a user on such a system is prompted to enter their account password, if they use a password at all, the entire security of the system is compromised.[4]

The responses have been mixed. Some have expressed the concern that Apple is on the verge of taking full control away from users and developers, moving OS X's security policy slowly to one similar to Apple's mobile operating system iOS.[2][8] In addition, the concern has been raised that potential security breaches could be more difficult to mend by the users themselves until Apple provides a solution.[9]

Some developers who rely on deeper system access, runtime attachment or code injection for their applications have expressed their disappointment, saying that this will prevent their applications from working.[10] Such applications may be impossible to operate without asking the user to disable the security feature in its entirety.

The feature interferes with certain software which requires low level access to the hardware, such as VMware Fusion when used with Boot Camp volumes.[11]

See also

References

  1. ^ Throughout the beta of OS X El Capitan, the feature was frequently called "rootless" in both the graphical user interface and command-line utilities.
  2. ^ a b Cunningham, Andrew (June 17, 2015). "First look: OS X El Capitan brings a little Snow Leopard to Yosemite". Ars Technica. Retrieved June 18, 2015.
  3. ^ Slivka, Eric (June 12, 2015). "OS X El Capitan Opens Door to TRIM Support on Third-Party SSDs for Improved Performance". MacRumors. Retrieved June 18, 2015.
  4. ^ a b c d Martel, Pierre-Olivier (June 2015). "Security and Your Apps" (PDF). Apple Developer. Apple. pp. 8–54. Retrieved June 18, 2015.
  5. ^ "What's New in OS X". Mac Developer Library. Apple. June 8, 2015. At section OS X v10.11. Retrieved June 18, 2015.
  6. ^ "Trim in Yosemite". Cindori. Retrieved June 18, 2015.
  7. ^ "OS X El Capitan Developer Beta 2 Release Notes". Mac Developer Library. Apple. June 22, 2015. At section Notes and Known Issues. Retrieved June 29, 2015.
  8. ^ Fleishman, Glenn (July 15, 2015). "Private I: El Capitan's System Integrity Protection will shift utilities' functions". Macworld. Retrieved July 22, 2015.
  9. ^ Comment by Reddit user sfsdfd (July 15, 2015). Reddit. Retrieved July 22, 2015.
  10. ^ Sykes, Stephen (June 16, 2015). "On System Integrity Protection in El Capitan, OSX 10.11". BinaryAge. Retrieved June 18, 2015.
  11. ^ "El Capitan Dev Beta and Boot Camp VM". Retrieved 27 September 2015.