“strace” na MacOS & SIP

Posted on November 1, 2015, 11:40 pm, by tomas, under security.

..sa vola dtrace

/usr/sbin/dtrace a ma niekolko uskali

1;) vyzaduje root-a, odporucam sudo dtrace sudo -u myuser traced_command

2;) existuje nieco ako SIP

As you may now Apple released their new OS X revision 10.11 this year with a great security feature built-in: System Integrity Protection. In a nutshell, this mechanism protects any system data and important filesystem components (like /System or /usr) from being modified by user; even if they are root. SIP also disables any use of code-injection and debugging techniques for third-party software, so some of your favorite hacks may not work anymore. – ;))

mile od Applu Anyway:

Completely disable SIP

Although not recommended by Apple, you can entirely disable System Integrity Protection on you Mac. Here’s how:

  1. Boot your Mac into Recovery Mode: reboot it and hold cmd+R until a progress bar appears.
  2. Choose the language and go to Utilities menu. Choose Terminal there.
  3. Enter this command to disable System Integrity Protection: 
    $ csrutil disable
  4. It will ask you to reboot — do so and you’re free from SIP!
The Good

You’re able to do anything you want with the OS, yay! ٩(⸝⸝⸝◕ั ௰ ◕ั⸝⸝⸝ )و

The Bad

You’re not safe: there’re plenty of rootkits in a wild which can infect your system. Actually, you’re as safe as on OS X 10.10 or 10.9, so judge for yourself.

Partially disable SIP

Fortunately, SIP is not monolithic: it’s built from many different modules we can disable/enable separately. Let’s take a look at a typical csrutil status output:

$ csrutil status
System Integrity Protection status: enabled

Configuration:
    Apple Internal: enabled
    Kext Signing: enabled
    Filesystem Protections: enabled
    Debugging Restrictions: enabled
    DTrace Restrictions: enabled
    NVRAm Protections: enabled

I can count 6 different subsystems out here. Here’s the way to selectively disable any of them:

  1. Repeat steps 1 and 2 from «Completely disable SIP» section above.
  2. Now in Terminal enter these commands: 
    $ csrutil clear # restore the default configuration first
$ csrutil enable --without dtrace # disable dtrace restrictions *only*

    That’s it: use csrutil enable + --without flag with a name of a module you want to disable:

    $ csrutil enable --without kext
$ csrutil enable --without fs
$ csrutil enable --without debug
$ csrutil enable --without dtrace
$ csrutil enable --without nvram
# this one below is different, not sure why. Don't encourage you to disable it anyways…
$ csrutil enable --no-internal
  3. Reboot and enjoy your OS again.
The Good

If you only disable dtace module you’re still quite safe: SIP will keep an eye on your filesystem and kernel extensions as well as on any software trying to inject code.

The Bad

You’re still unable to attach dtrace to restricted processes

$ sudo dtruss echo "demo" dtrace: failed to execute echo: dtrace cannot control executables signed with restricted entitlements

alebo spusti vo virtualke

( http://internals.exposed/blog/dtrace-vs-sip.html )

«
»