int csr_check(csr_config_t mask) { boot_args *args = (boot_args *)PE_state.bootArgs; if ((mask & CSR_ALLOW_DEVICE_CONFIGURATION) && !(args->flags & kBootArgsFlagCSRConfigMode)) return EPERM; if (csr_allow_all) { return 0; } csr_config_t config; int error = csr_get_active_config(&config); if (error) { return error; } if (mask == 0) { /* pass 0 to check if Rootless enforcement is active */ return -1; } error = (config & mask) ? 0 : EPERM; return error; }
int csr_check(csr_config_t mask) { if (csr_allow_all) { return 0; } csr_config_t config; int error = csr_get_active_config(&config); if (error) { return error; } if (csr_allow_internal && (config & CSR_ALLOW_APPLE_INTERNAL)) { return 0; } if (mask == 0) { /* pass 0 to check if Rootless enforcement is active */ return -1; } error = (config & mask) ? 0 : EPERM; return error; }
QueryData genSIPConfig(QueryContext& context) { auto os_version = SQL::selectAllFrom("os_version"); if (os_version.size() != 1) { VLOG(1) << "Could not determine OS version"; return {}; } // bail out if running on OS X < 10.11 if (os_version.front().at("major") == "10" && std::stoi(os_version.front().at("minor")) < 11) { VLOG(1) << "Not running on OS X 10.11 or higher"; return {}; } QueryData results; #if !defined(DARWIN_10_9) // check if weakly linked symbols exist if (csr_get_active_config == nullptr || csr_check == nullptr) { return {}; } csr_config_t config = 0; csr_get_active_config(&config); csr_config_t valid_allowed_flags = 0; for (const auto& kv : kRootlessConfigFlags) { valid_allowed_flags |= kv.second; } Row r; r["config_flag"] = "sip"; if (config == 0) { // SIP is enabled (default) r["enabled"] = INTEGER(1); r["enabled_nvram"] = INTEGER(1); } else if ((config | valid_allowed_flags) == valid_allowed_flags) { // mark SIP as NOT enabled (i.e. disabled) if // any of the valid_allowed_flags is set r["enabled"] = INTEGER(0); r["enabled_nvram"] = INTEGER(0); } results.push_back(r); uint32_t nvram_config = 0; auto nvram_status = genCsrConfigFromNvram(nvram_config); for (const auto& kv : kRootlessConfigFlags) { r["config_flag"] = kv.first; // csr_check returns zero if the config flag is allowed r["enabled"] = (csr_check(kv.second) == 0) ? INTEGER(1) : INTEGER(0); if (nvram_status.ok()) { r["enabled_nvram"] = (nvram_config & kv.second) ? INTEGER(1) : INTEGER(0); } results.push_back(r); } #endif return results; }
int syscall_csr_get_active_config(struct csrctl_args *args) { csr_config_t config = 0; int error = 0; if (args->useraddr == 0 || args->usersize != sizeof(config)) return EINVAL; error = csr_get_active_config(&config); if (error) return error; return copyout(&config, args->useraddr, sizeof(config)); }
int csrctl(__unused proc_t p, struct csrctl_args *uap, __unused int32_t *retval) { int error = 0; if (uap->useraddr == 0) return EINVAL; if (uap->usersize != sizeof(csr_config_t)) return EINVAL; switch (uap->op) { case CSR_OP_CHECK: { csr_config_t mask; error = copyin(uap->useraddr, &mask, sizeof(csr_config_t)); if (error) return error; error = csr_check(mask); break; } case CSR_OP_GET_ACTIVE_CONFIG: case CSR_OP_GET_PENDING_CONFIG: /* fall through */ { csr_config_t config = 0; if (uap->op == CSR_OP_GET_ACTIVE_CONFIG) error = csr_get_active_config(&config); else error = csr_get_pending_config(&config); if (error) return error; error = copyout(&config, uap->useraddr, sizeof(csr_config_t)); break; } default: error = EINVAL; break; } return error; }
int main(int argc, const char * argv[]) { uint32_t config = 0; // Syscall csr_get_active_config(&config); // // Note: Apple is no longer using 0x67 but 0x77 for csrutil disabled!!! // printf("System Integrity Protection status: %s (0x%08x) ", (config == CSR_VALID_FLAGS) ? "\33[1mdisabled\33[0m": "enabled", config); if (config) { if (config == CSR_ALLOW_APPLE_INTERNAL) { printf("(Apple Internal)."); } else { printf("(Custom Configuration)."); } } printf("\n\nConfiguration:\n"); printf("\tApple Internal: %s\n", _csr_check(CSR_ALLOW_APPLE_INTERNAL, (config == 0) ? 0 : 1)); printf("\tKext Signing Restrictions: %s\n", _csr_check(CSR_ALLOW_UNTRUSTED_KEXTS, 0)); printf("\tTask for PID Restrictions: %s\n", _csr_check(CSR_ALLOW_TASK_FOR_PID, 0)); printf("\tFilesystem Protections: %s\n", _csr_check(CSR_ALLOW_UNRESTRICTED_FS, 0)); printf("\tDebugging Restrictions: %s\n", _csr_check(CSR_ALLOW_KERNEL_DEBUGGER, 0)); printf("\tDTrace Restrictions: %s\n", _csr_check(CSR_ALLOW_UNRESTRICTED_DTRACE, 0)); printf("\tNVRAM Protections: %s\n", _csr_check(CSR_ALLOW_UNRESTRICTED_NVRAM, 0)); if (config && (config != CSR_ALLOW_APPLE_INTERNAL)) { printf("\nThis is an unsupported configuration, likely to break in the future and leave your machine in an unknown state.\n"); } exit(-1); }