Andrew Cunningham & Lee Hutchinson on the new “System Integrity Protection” feature:
Rather than adding yet another superuser account, SIP provides the concept of an additional file system and process flag, and file system objects and in-memory processes so flagged cannot be altered by processes not signed with Apple’s own code signing key.
There’s more, too—the file system protections are only the start. SIP consists of four major features:
- Protected locations cannot be written to by root.
- Protected system processes cannot be attached to with a debugger and cannot be subject to code injection.
- All kernel extensions must now be signed (and old methods for disabling kernel extension signing are gone).
- SIP cannot be disabled from within the operating system, only from the OS X Recovery partition.
Wednesday, September 30, 2015
Copyright © 2015-2018 Selected Links | RSS | Twitter | Linked list