|
|
|
|
|
|
by xoa
2140 days ago
|
|
|
On the SIP workaround, it says disabling SIP for the filesystem is enough, but even though that's less broad then disabling SIP entirely it's still a pretty wide brush. Have you (or anyone else) tested whether it's enough to disable SIP just for specific applications or folder locations? IIRC, all definitions and exceptions for SIP fs restrictions are still in two locations: /System/Library/Sandbox/rootless.conf
/System/Library/Sandbox/Compatibility.bundle/Contents/Resources/paths
Disabling SIP entirely allows editing these as root, and then reenabling allows more fine grained control. Of course like everything else in an Apple-owned location, changes have a high chance of being blown away any full system update, but those are rare enough (and always require a reboot anyway) that it doesn't seem like a major pain to just redo changes a few times a year (with a script).There are still of course some security implications for any additional exceptions you add but a lot less then a full fs disable. Further it's cool to have control over it anyway because you can even extend SIP to additional locations of your own which could be handy for some scenarios. |
|
|