Is there a way to disable certain parts of SIP while enabling parts of it? If so, then how do I do this?
I'd like to enable most of SIP (such as filesystem protections), but disable debugging restrictions so that I can attach a debugger to System Preferences to debug a preference pane, something that is normally not allowed. I'm aware of csrutil, but there's no manual for the tool, and the online help doesn't say whether it can do this or not.
Yes, you can indeed disable parts of SIP while leaving others enabled.
If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:
You can disable two or more components by structuring the command as follows:
csrutil enable --without kext --without debug
-Max
Yes, you can indeed disable parts of SIP while leaving others enabled.
If you run csrutil status, even while booted normally, you will see the component parts of it. Each of these can be selectively disabled by running one of the following commands while booted into Recovery mode:
You can disable two or more components by structuring the command as follows:
csrutil enable --without kext --without debug
-Max
That appeared to work, though I had to remove the \ in order to string exceptions. Thanks.
How did you come across this? This doesn't seem to be documented anywhere.
Edited accordingly.
It isn't documented yet. Hackintosh enthusiasts took the binary apart weeks ago and were able to constuct a man page of sorts.
Pls what does the without debug option do?
This is an old thread but a good repository for updating this list for modern OS
I am missing some pieces and would like to fill in the blanks... especially for Boot-args.
I have tried --without bootargs --without bootarg --without boot --without ba --without boot-args --no-bootargs --no-bootarg --no-boot-arg
Apple Internal: (--no-internal)
Kext Signing: (--without kext)
Filesystem Protections: (--without fs)
Debugging Restrictions: (--without debug)
DTrace Restrictions: (--without dtrace)
NVRAM Protections: (--without nvram)
BaseSystem Verification: (--without basesystem) ?
Boot-arg Restrictions:
Kernel Integrity Protections:
Authenticated Root Requirement:
running strings /usr/bin/csrutil returns some intriguing stuff but I haven't been lucky
some strings from csrutil
isARVSealingRequired
isAppleInternalPolicyAllowed
isBootArgFilteringEnabled
isCTRREnforcementRequired
isDTraceRestricted
isDebuggingRestricted
isFileVaultEnabled
isFilesystemAccessRestricted
isKernelDebuggingRestricted
isKextSigningRequired
isNVRAMAccessRestricted
isRecoveryVerificationRequired
isThirdPartyKextLoadingEnabled
...
setARVSealingRequired:
setAppleInternalPolicyAllowed:
setArguments:
setBootArgFilteringEnabled:
setCTRREnforcementRequired:
setCredential:type:error:
setDTraceRestricted:
setDebuggingRestricted:
setExecutableURL:
setFilesystemAccessRestricted:
setFirmwareSecurityLevel:
setKernelDebuggingRestricted:
setKextSigningRequired:
setLocalAuthenticationContext:
setNVRAMAccessRestricted:
setObject:forKeyedSubscript:
setRecoveryVerificationRequired:
setStandardOutput:
setThirdPartyKextLoadingEnabled: