About SIP/Rootless: SIP/Rooless Internal in El Capitan
In order to check the status of all security mechanisms provided by SIP/Rootless, a tiny little kext was built.
WARNING: This kext is for testing purpose ONLY.
Download: SIPCheck.command.zip
Requirements:
1. OS X 10.11 for the SIP status check; bootargs flags check would be work on 10.10 and 10.11.
2. SIP must be configured correctly to allow “untrusted” kexts to be loaded.
Usage:
1. Double click or use Terminal to run this script.
2. Enter password for current user.
3. Check output information in the Terminal or the kernel log in /private/var/log/system.log
If everything goes right, you could see kernel logs like below:
PS: Just ignore the string “LenovoY450”. This kext was built for the Lenovo Y450 at first.
In this case, results shows the SIP status after using the “Security Configuration” “csrutil” tool in the Recovery or Installation environment.
This kext is meaningless if you still depend on rootless=0 (will be removed in the future release of 10.11) to turn off the entire SIP. Actually, it wouldn’t report anything if the rootless=0 boot-args is detected.
If a kext without the proper signature needs to be loaded, maybe the best case is to set allow to load untrusted kexts ONLY and keep all the other protection on for the maximum security level.
Update 1: rootless=0 & kext-dev-mode=1 are removed in the current release of 10.11.
Update 2: Updated kext to check the bootargs flags:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11) AppleWebKit/601.1.41 (KHTML, like Gecko) Version/9.0 Safari/601.1.41
thats my output:
/Users/rennerst/SIPCheck.kext failed to load – (libkern/kext) not loadable
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_4) AppleWebKit/600.7.12 (KHTML, like Gecko) Version/8.0.7 Safari/600.7.12
The kext load restriction should be turned off in order to load this unsigned kext. This kext is unnecessary on a real mac because the csrutil tool in Recovery OS would turn off the entire SIP except the kernel debug restriction.