System Integrity Protection info

[starksm64]

In the link you give for disabling SIP, there is an answer from Rich Trouton indicating that one can have SIP enabled but disable various restrictions. He also has the following more detailed posting on the subsets of protections:
https://derflounder.wordpress.com/2015/10/01/system-integrity-protection-adding-another-layer-to-apples-security-model/

Is there a subset of restrictions that one can remove for mySIMBL to function without fully disabling SIP?

[w0lfschild]

• If you're on 10.13 or below you can run mySIMBL with SIP on after installing the helper.
• If you're on 10.14 or above you must run mySIMBL with SIP off.

Edit: Mojave info

[SaSaSushi]

Are future updates going to enable running mySIMBL in 10.14 with SIP on?

I'm hoping yes because I really prefer not to run with SIP disabled and may roll back to High Sierra.

[npyl]

@w0lfschild What is it that mySIMBL does that requires SIP to be disabled? Maybe I could make a patch if I knew??

Also, @SaSaSushi you will only have to disable once SIP, just for the installation. After this is complete, you can re-enable it...

[npyl]

I noticed the installSIMBL script installs the SIMBL.osax into /System/Library/ScriptingAdditions while it seems logical that it could be installed in /Library/ScriptingAdditions and this way keep SIP untouched.

Check out a snippet:

mySIMBL=$(dirname "$0")
cp -vr "$mySIMBL"/SIMBL.osax /System/Library/ScriptingAdditions/
cp -vr "$mySIMBL"/SIMBLAgent.app "/Library/Application Support/SIMBL/"
cp -v "$mySIMBL"/SIMBLAgent.app/Contents/Resources/net.culater.SIMBL.Agent.plist "/Library/LaunchAgents"

I am not sure if there is a good reason for this or it is just legacy code from SIMBL project but I believe this would remove the SIP restriction.

I could make a pull request if you like.

[SaSaSushi]

Thank you very much. I would appreciate the pull request.

Please pardon my ignorance, but is there any way I could manually move the file in the meantime?

When I disable SIP, the Afloat plugin works perfectly but it stops working the moment it is reenabled.

[npyl]

I experimented a bit with mySIMBL and mySIMBLFramework (handles installation) and I believe I have replaced every critical part of the program that uses /System with the /Library corresponding directory.

Though, plugin loading doesn't work (with or without SIP) so I am going to investigate a bit more...

@SaSaSushi Even if you move the file to /Library, mySIMBL won't be able to find it. I will investigate a bit more and see if I can create a good PR which will actually work. I will also upload my fork of the projects so that you can maybe compile it if you want.

[SaSaSushi]

Thank you, npyl! I really appreciate it if you can get it working.

Yes, I found out that just moving the file doesn't work since the app doesn't see it and just prompts to install it again in /System/Library/ScriptingAdditions.

I will definitely try compiling with your changes if you get it working.

For now I'm running with SIP disabled. Thanks again.

[npyl]

That's great, I am gonna check it out right now

[npyl]

I got some news:
A. The place mySIMBL installs SIMBL.osax is not the major reason we disable SIP. mySIMBL requires SIP permanently disabled on Mojave to work due to enhanced restrictions by apple.

B. You don't have to fully disable SIP, you can partially disable it just for SIMBL to work using: csrutil enable --without debug

PS: I just noticed @w0lfschild mentions that disabling SIP is mandatory on Mojave, in a previous message.

[SaSaSushi]

Thank you, npyl. I have enabled SIP without debugging and note the following now:

`System Integrity Protection status: enabled (Custom Configuration).

Configuration:
Apple Internal: disabled
Kext Signing: enabled
Filesystem Protections: enabled
Debugging Restrictions: disabled
DTrace Restrictions: enabled
NVRAM Protections: enabled
BaseSystem Verification: enabled

This is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.
`
It's better to have some SIP than no SIP I suppose although the bit about leaving the machine in an unknown state in the future is a bit concerning.

Will there be no way to work around this to get mySIMBL working with full SIP in the future?

Thanks again for your help!

[npyl]

@SaSaSushi To be honest I think no because it will always rely on code injection which is prohibited by SIP. I am no expert though so... 🤷‍♂️

Glad it worked for you though! :)

[w0lfschild]

@npyl is correct.

• Mojave and onward will always require SIP to be disabled

• The install location is /System for a few reasons

  • On 10.10 - 10.13 if SIP is enabled injection will only work if the OSAX is in /System
  • On 10.14 and above injection will only work if SIP is off AND the OSAX is in /System

[npyl]

@w0lfschild Is there any other way that SIMBL would work without injection? Like, a different "injection" method?

[w0lfschild]

@npyl

Nope and even if there was another way it would 100% be patched in the next macOS release.

Code injection is a security risk that Apple is clearly against the average user being exposed to.