int
csr_check(csr_config_t mask)
{
boot_args *args = (boot_args *)PE_state.bootArgs;
if ((mask & CSR_ALLOW_DEVICE_CONFIGURATION) && !(args->flags & kBootArgsFlagCSRConfigMode))
return EPERM;
if (csr_allow_all) {
return 0;
}
csr_config_t config;
int error = csr_get_active_config(&config);
if (error) {
return error;
}
if (mask == 0) {
/* pass 0 to check if Rootless enforcement is active */
return -1;
}
error = (config & mask) ? 0 : EPERM;
return error;
}
int
csr_check(csr_config_t mask)
{
if (csr_allow_all) {
return 0;
}
csr_config_t config;
int error = csr_get_active_config(&config);
if (error) {
return error;
}
if (csr_allow_internal && (config & CSR_ALLOW_APPLE_INTERNAL)) {
return 0;
}
if (mask == 0) {
/* pass 0 to check if Rootless enforcement is active */
return -1;
}
error = (config & mask) ? 0 : EPERM;
return error;
}
QueryData genSIPConfig(QueryContext& context) {
auto os_version = SQL::selectAllFrom("os_version");
if (os_version.size() != 1) {
VLOG(1) << "Could not determine OS version";
return {};
}
// bail out if running on OS X < 10.11
if (os_version.front().at("major") == "10" &&
std::stoi(os_version.front().at("minor")) < 11) {
VLOG(1) << "Not running on OS X 10.11 or higher";
return {};
}
QueryData results;
#if !defined(DARWIN_10_9)
// check if weakly linked symbols exist
if (csr_get_active_config == nullptr || csr_check == nullptr) {
return {};
}
csr_config_t config = 0;
csr_get_active_config(&config);
csr_config_t valid_allowed_flags = 0;
for (const auto& kv : kRootlessConfigFlags) {
valid_allowed_flags |= kv.second;
}
Row r;
r["config_flag"] = "sip";
if (config == 0) {
// SIP is enabled (default)
r["enabled"] = INTEGER(1);
r["enabled_nvram"] = INTEGER(1);
} else if ((config | valid_allowed_flags) == valid_allowed_flags) {
// mark SIP as NOT enabled (i.e. disabled) if
// any of the valid_allowed_flags is set
r["enabled"] = INTEGER(0);
r["enabled_nvram"] = INTEGER(0);
}
results.push_back(r);
uint32_t nvram_config = 0;
auto nvram_status = genCsrConfigFromNvram(nvram_config);
for (const auto& kv : kRootlessConfigFlags) {
r["config_flag"] = kv.first;
// csr_check returns zero if the config flag is allowed
r["enabled"] = (csr_check(kv.second) == 0) ? INTEGER(1) : INTEGER(0);
if (nvram_status.ok()) {
r["enabled_nvram"] = (nvram_config & kv.second) ? INTEGER(1) : INTEGER(0);
}
results.push_back(r);
}
#endif
return results;
}
int
syscall_csr_get_active_config(struct csrctl_args *args)
{
csr_config_t config = 0;
int error = 0;
if (args->useraddr == 0 || args->usersize != sizeof(config))
return EINVAL;
error = csr_get_active_config(&config);
if (error)
return error;
return copyout(&config, args->useraddr, sizeof(config));
}
int
csrctl(__unused proc_t p, struct csrctl_args *uap, __unused int32_t *retval)
{
int error = 0;
if (uap->useraddr == 0)
return EINVAL;
if (uap->usersize != sizeof(csr_config_t))
return EINVAL;
switch (uap->op) {
case CSR_OP_CHECK:
{
csr_config_t mask;
error = copyin(uap->useraddr, &mask, sizeof(csr_config_t));
if (error)
return error;
error = csr_check(mask);
break;
}
case CSR_OP_GET_ACTIVE_CONFIG:
case CSR_OP_GET_PENDING_CONFIG: /* fall through */
{
csr_config_t config = 0;
if (uap->op == CSR_OP_GET_ACTIVE_CONFIG)
error = csr_get_active_config(&config);
else
error = csr_get_pending_config(&config);
if (error)
return error;
error = copyout(&config, uap->useraddr, sizeof(csr_config_t));
break;
}
default:
error = EINVAL;
break;
}
return error;
}
int main(int argc, const char * argv[])
{
uint32_t config = 0;
// Syscall
csr_get_active_config(&config);
//
// Note: Apple is no longer using 0x67 but 0x77 for csrutil disabled!!!
//
printf("System Integrity Protection status: %s (0x%08x) ", (config == CSR_VALID_FLAGS) ? "\33[1mdisabled\33[0m": "enabled", config);
if (config)
{
if (config == CSR_ALLOW_APPLE_INTERNAL)
{
printf("(Apple Internal).");
}
else
{
printf("(Custom Configuration).");
}
}
printf("\n\nConfiguration:\n");
printf("\tApple Internal: %s\n", _csr_check(CSR_ALLOW_APPLE_INTERNAL, (config == 0) ? 0 : 1));
printf("\tKext Signing Restrictions: %s\n", _csr_check(CSR_ALLOW_UNTRUSTED_KEXTS, 0));
printf("\tTask for PID Restrictions: %s\n", _csr_check(CSR_ALLOW_TASK_FOR_PID, 0));
printf("\tFilesystem Protections: %s\n", _csr_check(CSR_ALLOW_UNRESTRICTED_FS, 0));
printf("\tDebugging Restrictions: %s\n", _csr_check(CSR_ALLOW_KERNEL_DEBUGGER, 0));
printf("\tDTrace Restrictions: %s\n", _csr_check(CSR_ALLOW_UNRESTRICTED_DTRACE, 0));
printf("\tNVRAM Protections: %s\n", _csr_check(CSR_ALLOW_UNRESTRICTED_NVRAM, 0));
if (config && (config != CSR_ALLOW_APPLE_INTERNAL))
{
printf("\nThis is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.\n");
}
exit(-1);
}
