Q: Adding exception to SIP?

Changes outside the parameters protected by SIP are not a problem. Others within those parameters will only be temporary, if allowed at all, and will revert back to the standard system setting with any restart. That is part of the security layer so aptly described in System Integrity Protection – Adding another layer to Apple’s security model.

But, there does seem to be an exception which might be worth your while to explore: https://derflounder.wordpress.com/2015/10/05/configuring-system-integrity-protec tion-without-booting-to-recovery-hd/#mor… It goes without saying that a lot more information is needed to properly do the scripting required in your or any other scenario. Have a look also at the Github page.

HTH

Leo

Willy-G wrote:

 

Hi,

 

Is there an effective way to add an exception to System Integrity Protection without having to turn off the whole thing? Apparently, some of our devs install various binaries in the same paths that SIP controls, and that's causing issues on our end.

 

Thanks.

If it was easy to add exceptions to SIP then this would also make it easy for malware authors to add exceptions to SIP for their crud thereby defeating the whole point of SIP.

Your developers need to change their bad habits and follow Apple's rules about what locations they use. Even if internally you might be willing to jump through hoops to do this your customers will not. There is absolutely no need for a properly written program to bypass SIP, the current main reason for bypassing SIP is customers needing to run old software that has not been updated to take in to account the new rules.

Remember even if right now with El Capitan it may be hypothetically possible to add an exception there is no guarantee that the next version of OS X likely due this summer will continue to allow this. Therefore it is far better to fix these bad practises right now rather than leaving it till you have no choice.

Note: If the binaries are not your own software but are rather various open-source tools being used by your developers then in almost all cases it is possible to install them in a location that is permitted under SIP e.g. /usr/local

system integrity protection( sip ) sometimes called root less a new feature that means users & 3 rd part software including malware cannot change core system files

  core system files cannot be re - written even by root users

   injecting code into protected processes is no longer permitted by system

   only signed kernel extensions can run no exceptions

system directories cannot be edited . contents of certain folder cannot be altered by the user or any program the user might choose to run

  which folders ? ./system ,  ./bin  , ./ user  , ./sbin

  try to create a new directors in /system it won't work

this means that you & any programs you might chose to run can't make any changes to OS X - even if you're a root user & even if you type password .

an article : support.apple.com/en-in/ht204899