When a process is started, the kernel checks to see whether the main executable is protected on disk or is signed with an special system entitlement. If either is true, then a flag is set to denote that it is protected against modification. Any attempt to attach to a protected process is denied by the kernel.
Attempting to get the Mach task for a process using the
task_for_pid function or attempting to get the permissions of a set of tasks using the
processor_set_tasks function fails, returning
Spawning children processes of processes restricted by System Integrity Protection, such as by launching a helper process in a bundle with
NSTask or calling the
exec(2) command, resets the Mach special ports of that child process. Any dynamic linker (
dyld) environment variables, such as
DYLD_LIBRARY_PATH, are purged when launching protected processes.
DTrace cannot be used to inspect system processes, whether from the Instruments application or the
dtrace(1) command-line tool.
Attempting to attach to a system process, such as with LLDB, fails—even when running as root with sudo:
$> sudo lldb -n Finder
(lldb) process attach —name "Finder"
error: attach failed: attach failed: lost connection